Hera has adopted an organisational structure suited to adequately manage the exposure to risk inherent in its business. It has defined an integrated approach aimed at maintaining management effectiveness and profitability along the entire value chain.
The corporate governance system for risk management implemented in Hera allows management strategies to be addressed consistently. In this system:
- the Board of Directors steers and evaluates the adequacy of the internal control and risk management system;
- the Executive Chairman and the Managing Director monitor, within their competence, the operation of the internal control and risk management system;
- the Vice Chairman monitors the coordination between the Risk Committee and the Control and Risks Committee;
- the Control and Risks Committee supports the Board of Directors in defining the guidelines of the internal control and risk management system;
- the Risk Committee is the main body that steers, monitors and reports the risk management strategies adopted. It defines the general guidelines for the Risk Management process, guarantees the mapping and monitoring of corporate risks, assures the definition of the Risk Policies and defines the protocols for reporting to the Control and Risks Committee, the Internal Auditing Department and the Board of Statutory Auditors.
In Hera, there is an appropriate separation between the role of risk control and management (entrusted to the risk owners in the various organisational units) and of evaluation of the appropriateness of the risk management processes. Specifically, the proper and effective operation of the internal control and risk management system is monitored at centralised level by the Internal Auditing Department, which reports directly to the Vice Chairman of the Board of Directors.
The two main corporate bodies in charge of supervising risks are described in greater detail below, according to their respective responsibilities.
Control and Risks Committee
The Control and Risks Committee’s duty, in application of Principle 7 of the Code of Conduct, is to monitor the functioning of the internal control system, the efficiency of corporate operations, the reliability of financial information, as well as compliance with the law and regulations and the protection of corporate assets. This Committee also has the task of supporting, with adequate investigations, the Board of Directors in its evaluations and decisions regarding the risk management system. The Chairman of the Board of statutory auditors or an auditor appointed by Chairman attends the committee’s meetings as well as the Managing Director and the Chairman of the Board of Directors, at the explicit request of the Chairman of the committee.
The Control and Risks Committee met 7 times in 2018.
The Risk Committee
The Risk Committee was appointed in April 2014 and is composed of the Executive Chairman, Vice Chairman and Managing Director of Hera Spa, the Administration, Finance and Control Director, the Market Central Director and the Enterprise Risk Manager. Furthermore, in relation to specific issues falling within their competence, the Legal and Corporate Central Director, the Corporate Services Central Director, the Innovation Central Director and the General Manager of Hera Trading S.r.l. may take part in the meetings.
The Risk Committee is the main body that steers, monitors and provides information about risk management strategies, and has the following tasks:
- defining general guidelines for the risk management process; ensuring corporate risk mapping and monitoring;
- ensuring the definition of risk policies and measurement parameters to be submitted for approval to the Board of Directors of Hera Spa;
- guaranteeing six-monthly reporting to the Board of Directors;
- defining and ensuring the submission of information protocols to the Control and Risks Committee, the Internal Auditing Department and the Board of Statutory Auditors.
The significant risks addressed within the Risk Committee refer to the following areas: strategic, energy, financial, credit, insurance, information and communication technology, safety and the environment, and business continuity.
The Risk Committee met 4 times in 2018.
The ERM approach of the Hera Group
In the overall design of the risk management process, Hera has adopted a structured approach, which is consistent with industry best practice, through the introduction of Enterprise Risk Management (ERM). The aim is to define a systematic approach that is consistent with risk control and management, by creating an effective model with steering, monitoring and representation functions, oriented towards the adequacy of the management processes and their compliance with top management’s goals.
The approach is intended to provide the Board of Directors with useful elements for assessing the nature and level of business risk, especially over the medium to long term, so as to enable the definition of a risk profile that is consistent with the Group’s strategic objectives. This definition is expressed through the approval of the group risk management policy and of the related risk limits by the Board of Directors.
In greater detail, the policy defines the Group’s orientation towards risk issues and identifies the relevant risk management framework, comprising three fundamental elements:
- the risk model, which identifies the scope of reference for the risk management analysis carried out by the Group. It includes the identification of all risks, or rather the types of risk that the Group is potentially exposed to, which are periodically reviewed on the basis of any changes in the mission, strategic objectives and scope of the group’s business, as well as the social and economic context;
- the Group’s risk appetite, which defines the acceptable risk level in compliance with the risk management strategy by means of the identification of:
- key risk dimensions, i.e. the most relevant risk factors in respect of which the Group intends to express its risk appetite;
- risk metrics, necessary for measuring exposure arising from a specific risk factor;
- limits associated with each key risk dimension, which express the related maximum risk level tolerated by the Group in pursuing its goals;
- monitoring, escalation and updating processes, aimed at promptly identifying whether any defined risk limits have been exceeded, identifying and implementing corrective actions, correctly monitoring significant risk areas and aligning the limits to the group’s risk appetite;
- Risk Management activities, divided into:
- enterprise risk management, aimed at analysing the evolution of the Group’s overall risk profile, the results of which are the tool used to support informed risk-taking and fix the strategic goals;
- ongoing risk management, which for specific risks requires continuous sector-based management procedures entrusted to special risk specialists/risk owners, based upon specifically developed processes and methods and formally defined within the risk policies of reference.
The measurement metrics of the impact are of two types: economic-financial and reputational. The economic-financial metric identifies a monetary value deriving from the risk scenario, then placed on a scale of values from 1 to 4 whose monetary intervals are defined by Hera’s Board of Directors. The reputational metric measures the entity of the impact on the basis of a scale of values from 1 to 4, structured in ambits divided up by each stakeholder potentially impacted, which refer to the seriousness of the impact (persistence and extension), also approved by Hera’s Board of Directors. The two scales are gauged so as to guarantee comparability between the economic and reputational impact at equal level.
It is hereby disclosed that the 2018 ERM analysis did not highlight risks in key areas either for economic-financial or reputational impact. With regard to significant risks, by contrast mention is made of the risk with a reputational impact deriving from possible proceedings of supervisory/regulation/investigation bodies despite the presence of conduct of the Hera Group compliant with the provisions of the law. This risk profile pertains to the degrees of discretionality for the launch of verification/investigation procedures within the sphere of regulations implementing the sector norms which are partially lacking or interpretative stances of the prescriptions which are absent and equivocal. With regard to significant risks, mention is also made of the economic-financial risk deriving from highly critical seismic events.
The described activities guarantee an effective control of all the main risks to which the Group is potentially exposed, as well as the management of the Group’s overall exposure in keeping with the views expressed in the Group’s risk appetite and with the Business Plan objectives.
During 2018, the ERM analysis carried out further method-related streamlining and analysis:
- the backtesting of the ERM analysis was carried out relating to the previous year, aimed at evaluating the coherence of the impacts effectively suffered with respect to those estimated and the observance of the limit of risk of variability of the profitability assigned, in the event of realisation of the scenario assessed in the analysis. The internalisation of the effects of these scenarios was also checked if they should lead to impacts within the plan duration;
- initiatives were carried out to improve the resilience of the Group in the face of risks which may compromise the continuity of the significant activities of the group, in particular:
- within the sphere of waste collection and road sweeping services by means of the identification of operational continuity strategies in the presence of unavailability of vehicles;
- within the remote heating sphere, launching specific vulnerability analyses on the main networks.
These activities will continue during 2019.
- in-depth analysis was carried out on the supply chain control system structured within the sphere of the certified management systems with a view to the ERM assessment and identification of significant risk scenarios. In collaboration with the Procurement and Tenders Department, the significant risk scenarios and factors inherent to the process were identified, the assignment of the impacts on the significant stakeholders was carried out, and the outstanding safeguards and the associated risk were assessed;
- activities were launched at the beginning of 2019 aimed at identifying the degree of resilience of the water distribution infrastructures in the presence of prolonged drought scenarios associated with climate change.
On 10 January 2019, the Board of Directors was presented with the fourth ERM report; the risk limits for 2019 were also approved, as well as the up-date of the Hera Group risk management policy Guidelines.
The nature of risks and their management
The risks related to the business in which Hera operates and manages from an Enterprise Risk Management perspective are related to the following risk areas, classified as internal, strategic and external, based upon the risk model adopted by the Hera Group.
- Internal risks
Nature: risks related to various types of risks – such as operational, organisational and ICT risks – are specifically related to the management of services which employ human, technological and environmental resources, and which can cause service interruptions, delays in the construction of new facilities or in the delivery of services, fraud, intrusions, accidents and disasters.
Activity areas: the risks belonging to this driver cut across the Group and regard a wide range of activities that are controlled and managed by specialist teams. The Group gives special focus to workplace safety, to compliance of plant and site operation with environmental legislation and to ICT risk control, especially risks that have an impact on the logical security of information, the security of information and communication networks, and the reliability of remote control, necessary to ensure adequate service levels to customers and operational safety to Hera’s fluid and electricity distribution networks.
Management levers: approach structured on the basis of specific areas in which operational risks arise. In general, a significant role is played by prevention investments to reduce the frequency of adverse events and by mitigation actions to reduce their severity. The management approach for each type of risk is described below.
- Risks related to legislation on environmental impacts: the Group’s activities are subject to several environmental statutes, laws and regulations, including those on CO2 emissions, sewage, and hazardous and solid waste management. The Group is able to tackle environmental risks both through ongoing monitoring of potential pollution factors so as to ensure the transparency of measurements, and through major investments in purification and reclamation plants that guarantee better quality of water compared to the limits provided for by law. The waste collection system seeks to increase the percentage of waste treated at selection, recovery and composting plants, and reduce the use of landfills, in line with the provisions of national and European legislation. Environmental analysis of the sites has been improved to allow more effective data collection and determine the significance of environmental aspects in both normal and emergency conditions.
- Risks associated with regulations on health and safety of workers: the risk related to accidents has seen a steady reduction in accident rates thanks to the initiatives aimed at better monitoring and improving the protection and prevention processes intended to continually reduce the frequency and the severity of accidents, as evidenced by the lower number of accidents, the frequency rate and the lower number of days of absence due to injury.
- Risks associated with logical and physical security: the Group carries out constant monitoring of its IT security risk level, with targeted interventions to ensure the availability, integrity and confidentiality of information managed by the Group. In 2018, the execution of measures continued aimed at ensuring the integrity and availability of Hera systems, with significant value in terms of risk reduction.
- Risks related to the interruption of services: many risk factors may influence the regular supply of energy and water due to damages to the network, water shortage or possible contamination of water reserves, thus leading to interruption of the service or significant damages both of an environmental and economic or social nature. In order to tackle these risks, the Group makes important investments designed to guarantee the effectiveness and efficiency of the distribution system. It also carries out constant monitoring and maintenance of its networks in order to guarantee safety, quality and that services are supplied constantly even in the presence of temporary interruptions on one or several distribution lines. Furthermore, growing attention to the physical safety of plant sites reduces the likelihood of damage to them. Within this sphere, as from 2019 an in-depth look was launched at the resilience of the Group water supply and distribution system in terms of a medium/long-term perspective having taken into account the possible effects which the climate change process underway may produce also in the pertinent areas.
- Strategic risks
Nature: these risks pertain to the formulation of long-term planning, to the implications regarding the Group’s financial sustainability, to the decisions to take part in activities of strategic importance and to appropriate investment decisions.
Activity areas: strategic risks involve the Hera Group in its entirety. They affect the soundness of the strategic planning results envisaged for the various sectors and business units. Achievement of these results is conditioned by various internal and external risks that are appropriately simulated, measured and checked.
Management levers: In 2015, Hera developed a structured model of strategic risk analysis designed to measure the soundness of its business plan. Many adverse risk scenarios were considered, contributing to an integrated view of risks with an enterprise-wide logic. The system allows the performance of scenario analysis, stress testing, and possible ‘what if’ events (macroeconomic scenario, competitive environment, internal levers and this also allowing the analysis of relevant internal and external risks), carried out by formulating deterministic and stochastic scenarios through an adequate analysis of risk factors and variables associated to them, and appropriate assessment of the riskiness of the different business sectors. This also allows the evaluation and preparation of alternative strategies aimed at mitigating the adverse effects identified.
- External risks
3 A. External risks: competitive-regulatory risks
Nature: risks related to regulatory interventions by sector authorities and the law (particularly on tariffs and market structure), to government incentives on renewable sources and sector-related laws, regulated businesses related to the concessions of local and national authorities, failure to obtain authorisations, permits and licences, as well as the impact expected from changes in the macroeconomic environment, the market structure and its liberalisation, the development in supply and demand in energy and environment sectors and possible impact on the group’s business.
Activity areas: with regard to the macroeconomic and market scenario, risks mainly affect the Market Department, which is exposed due to its sale of electricity and gas to the competitive dynamics and to the development of demand, and Herambiente, which is exposed to the variability of the economic cycle. With regard to the regulatory component, competitive-regulatory risks affect network business (water, gas and electricity distribution) and market business (sale of electricity and gas). They occur during the introduction or the modification of economic, organisational and IT requirements which Hera must comply with, as well as during possible changes in the market structure caused by them.
Management levers: approach structured on the basis of specific areas. The management approach for each type of risk is described below.
- Liberalisation of the market: over the years, free-market business has become increasingly important in Hera Group’s portfolio, significantly contributing today to the Group’s financial results. On the one hand, it has reduced the importance of regulated business in the Group’s results, while on the other, it has exposed the Group to increasing competitive pressure due to the entry of new operators and to the development of organised markets. In Italy, especially for the electricity business, the Group competes with other national/international producers and traders that sell electricity on the Italian market to industrial, commercial and residential customers. Even as regards the methane business, the Group must tackle increasing competition both nationally and internationally which could lead to a drop in its sales margins. In order to mitigate this risk, the Group has addressed the challenge of liberalisation. On the one hand, it has innovated its commercial offer and improved the timeliness of its offers by increasing its presence and its customer base on the free market through cross-selling activities. On the other, it has gained an increasing proactive approach towards customer management and satisfied its expectations in terms of service quality, by completing the range of services offered to customers and strengthening loyalty. These activities have improved quality and post-sales management service costs for customers and at the same time have reduced new customer acquisition costs.
- Risk connected to the macro-economic context: the Group operates mainly in Italy, where the economic scenario is still difficult featuring a slowdown in the consumption of energy and in the volumes of waste disposed of. The decline in energy demands leads to pressure on trading margins that, added to the greater competition on the free market, may impact the Group’s profitability. Furthermore, changes in the levels of retail energy consumption could require Hera to acquire or sell additional energy at unfavourable conditions. To this end, in selling energy, the Group has maintained flexible supply sources of energy commodities. At the same time, it has developed hedging activities to minimise exposure to operational electricity generation risks (not included in the Group’s core activities) and to long-term contractual gas supply formulas (“Take or Pay” clauses). Regarding waste disposal activities, some old plants were replaced with new generation plants provided with more efficient and top-performing technologies also in terms of environmental impact.
- Changes in the legislative and regulatory framework and revision of tariffs in the regulated waste, water and energy sectors: the Group operates in regulated markets or regulated schemes in which there is a regulatory risk connected to the definition of the tariff criteria by the national Authority (Arera). A change in the legislative and regulatory framework, both at national and European level, could have a significant impact on the Group’s business thus influencing the profitability of the sectors in which Hera carries out its business directly or through its subsidiaries. Furthermore, the regulated tariff regime and the Authority’s regulatory interventions could establish, across several businesses, the application of tariffs to final customers and of remuneration mechanisms on the invested capital. This could affect the Group’s operating performance and results negatively. In order to address this risk, the Group has adopted an organisational structure that manages its relations with national and local Authorities. The structure carries out extensive consultation activities with institutional stakeholders, taking active part in the work groups set up by the Authorities and adopting a transparent, collaborative and proactive approach towards any situations of instability in the regulatory framework.
- Regulated business risks associated with the concessions of local and national authorities: the regulated activities pertaining to waste collection, gas and electricity distribution, integrated water and public lighting services are the result of existing concessions with local authorities (in the case of the integrated water service, gas distribution, waste management and public lighting) or national authorities (in the case of electricity distribution). The Group is subject to the risk that the concessions may not be renewed when they expire or, should they be renewed, that conditions at least comparable to those currently available are not maintained. This risk, however, is mitigated by the presence of a mechanism for reimbursement to be paid to the outgoing operator equal to the industrial residual value of the concession.
- Risks connected to failure to obtain authorisations, permits and licences: the Group’s ability to achieve its strategic objectives could be adversely affected if it is not able to maintain or obtain the required licences, authorisations or permits for the regular performance of its business. This risk is mitigated by constantly supervising the authorisation processes and taking part actively in working tables in order to achieve relevant permits, licences and authorisations.
3 B. External risks: risks related to weather and climate variability
Nature: risks related to the impact on the Group due to the variability in weather and climate conditions on the electricity and gas demand.
Activity areas: with regard to the meteorological component, risks mainly affect the Central Market Department, which is exposed due to its sale of electricity, gas and heat to the variability of demand arising from the various meteorological scenarios.
Management levers: the Group is provided with demand forecasting tools that optimise the use of available sources, and with adequate flexibility in the supply sources of energy commodities. It is also highlighted that within the context of the long-term trend of climate change, the Hera Group is committed to contributing to its mitigation by complying with energy efficiency goals set by the law, by continuing to constantly improve production and by encouraging virtuous and responsible consumption by customers to reduce CO2 emissions and, in general, to minimise environmental impact. In this regard, Hera has created a special Esco (Energy Service Company) which has among its objectives the development of initiatives for both business and domestic customers, aimed at promoting the use of efficient energy production with environmental benefits in terms of CO2 reduction, and the use of efficient and energy-saving technologies designed to ensure optimal use of energy resources with significant advantages both for consumers and the environment. Lastly, the electricity requirements needed to operate the Group’s production sites are met entirely by means of energy from renewable sources.
3 C. External risks: financial risks related to the energy market
Nature: risks relating to variations in the prices of energy, gas and other fuels.
Activity areas: the energy market risks are concentrated in the Central Market Department where the buying and selling of electricity and gas determine risk positions arising from the volatility of energy commodity prices.
Management levers: processes have been set up allowing efficient management of procurement and hedging activities, with specific focus on skills. The approach adopted by the Group involves a single interface for managing risk with regard to the market: Hera Trading, which provides hedging of the Group’s risk positions through specific portfolios dedicated to fuel and electricity, allowing for unified management of risks in compliance with the policies assigned. The approach has many advantages, such as the achievement of higher hedging levels, optimisation of costs since resorting less to the market through the use of netting positions, greater structuring flexibility with regard to procurement and supply to customers. Even in 2018, the process proved to have adequate strength in terms of risk assessment and control, ensuring compliance with the limits assigned.
3 D. External risks: financial risks related to the debt market
Nature: risks related to variations in interest rates, liquidity, credit spread and exchange rates.
Activity areas: the Group’s financial management is centralised in the Administration, Finance and Control Department which meets the financing needs and cash management for the Group.
Management levers: structuring and implementation of processes for the control and optimal management of financial risks, which makes use of close monitoring of the Group’s significant financial indicators and of ongoing presence on the reference markets. The best opportunities are seized in order to minimise the impact of interest rate volatility and ensure an efficient debt service through the optimisation of its structure. The procedures for complying with the requirements under Italian Law 262/2005 to ensure that the accounting documents are drafted in a trustworthy manner, are adequately structured and implemented.
3 E. External risks: financial risks related to counterparties
Nature: risks relating to the counterparty’s inability to fulfil the obligations undertaken, either in compliance with the economic conditions or in the execution of the contractual provisions (delivery of good/service).
Activity areas: the credit risk has an impact across the Group in the various areas where business is conducted: the sale of electricity, gas, heat, waste management recovery and disposal services, and telecommunications services.
Management levers: a structured origination process has been set up in Hera, which is used for specific procedures of credit risk management and allows adequate selection of counterparties through credit check and/or request for guarantees where appropriate. Positions with customers and counterparties are also monitored constantly and structured actions are planned which provide proactive management; where appropriate, the Group resorts to external transfer of risk through the optimised use of credit assignment.
The prevention of and the fight against corruption
The handling and prevention of fraud
During 2017, the Hera Group drew up Guidelines, in application as from 15 February 2018, for the purpose of facilitating the further development and co-ordination of the internal control system supporting the prevention and handling of fraud.
The Guidelines assign roles and responsibilities within the sphere of the prevention, detection and investigation of potential frauds and further conduct within the organisation consistent and in line with the principles expressed. They also provide indications with regard to the channels to be used, hardcopy post or dedicated e-mail addresses, to report any suspicion of fraud. All the Departments involved must ensure the confidentiality of the information received and handle it in a strictly confidential manner protecting the identity of the whistle-blower, without prejudice to the legal obligations.
A work group was set up, under the co-ordination of the Compliance Law No. 262/05 function, which developed method-based technical support, “self-assessment”, for the company Departments and the Group companies, for the purpose of providing them with elements for self-assessment in the identification of the risks and the related prevention controls. This instrument becomes an integral part of the internal control system.
The “self-assessment” includes:
- the types of fraud;
- the fraud risks, or which type of action is implemented;
- the fraud schemes, or how the fraud is implemented.
The document includes, by way of example but not limited to, red flags and analytical controls.
The organisational model for prevention of crimes by the Company
Italian Legislative Decree No. 231/2001 introduced a regime of administrative liability into the Italian legal structure. These measures are applied to entities which commit crimes in their own interest or to their own advantage. These crimes may be committed by natural persons acting as representatives, directors or managers on behalf of the entities, or by natural persons acting under the supervision of such persons or subjected to supervision on their part.
The Board of Directors of Hera SpA and the main subsidiaries of the Group have adopted an organisation, management and control model (231 Model) to ensure conditions of correctness and transparency in conducting business and company activities. The model includes the principles of conduct formalised in the Code of Ethics.
The companies provided with a “231 Model” are: Hera SpA, Acantho, Asa, Frullo Energia Ambiente (Fea), Feronia, Hera Comm, Hera Luce, Hera Servizi Energia, Hera Trading, HERAtech, Herambiente, Herambiente Servizi Industriali, Hestambiente, Inrete Distribuzione Energia, Uniflotte and Waste Recycling. Furthermore, AcegasApsAmga, Energia Base Triesta, Aliplast, Alimpet (these two companies until December 2018), AcegasApsAmga Servizi Energetici SpA and Marche Multiservizi are provided with their own “231 Model”. All these 22 companies (76% of the total of the companies) include 98.2% of Group employees.
Following the mapping of sensitive company activities, at risk of the offences included in Italian Legislative Decree 231/2001, the Group companies defined specific protocols to be followed in carrying out certain activities, and made the consequent information flows available on a periodic basis. These protocols are circulated to the entire workforce through the corporate intranet. Their application is monitored during the audit phase. In 2018, the management and communication of the confidential, privileged and significant information and management of the laboratory activities protocols were up-dated.
The Internal Auditing Department ensures assistance to the various company units in drawing up and implementing necessary corrective action following the audits and, for the purpose of raising the awareness of and training the beneficiaries of the 231 Model it held specific courses care of the subsidiary companies (Asa and Waste Recycling) which concerned aspects of general importance such as the 231 Model of the Hera Group, the Group Protocols, the Internal Control System and aspects focused on the activities of the same.
Furthermore in 2018, the process was launched for the definition of a management system for the prevention of corruption compliant with the ISO 37001 standard. It is envisaged that certification will be obtained for Hera Spa by the end of 2019.
Risk analysis for definition of the internal audit plan
The Internal Auditing Department’s activities focused on the sectors with the highest risk levels in the Risk Assessment, a document that identifies and weighs – through assessment of the Group’s business areas and of the infrastructure processes – any risk factors and critical points, including the risks of fraud, providing details on the level of risk determined for each segment. On the basis of the Audit Plan for the 2016-2018 period previously approved by the Board of Directors of Hera SpA, the consequent internal audit plan was brought to a close over the course of the year.
With reference to the specific risks related to the topics included within the scope of Italian Legislative Decree No. 231/2001, including the corruption-type risks, identified in the 231 Risk Assessment for the 2016-2018 period, the Supervisory Body in turn carried out the activities set out in the Audit Plan, drawn up on the basis of the risk assessments, coverage of new processes, regulatory developments and the extension of the scope of activities of the companies.
The Hera Group Internal Auditing Department in 2018, in relation to the Group processes, carried out the Risk Assessment with the aim of drawing up an Audit Plan proposal for the three-year period 2019-2022. These activities were carried out on the basis of the results of the previous assessments, on the outcomes and the key aspects of the audit activities performed, the ERM analysis presented to the Board of Directors of Hera S.p.A. in January 2018 and in relation to the sector risks deriving from benchmarks of other companies. The assessments, referring to the risk event, were guided and gauged in relation to the type of the processes or the business: the drivers which supported the assessments and the prioritization of the risk aspects took into account the peculiarities of the Group. The 231/01 risk offences have been identified by macro-processes, assessed ad hoc and included in the risk assessments within the sphere of the compliance risks.