Enterprise risk management

The Enterprise Risk Management process, recently implemented at Edison, is a tool for the integrated management of the risks faced by the Group.

The need to develop an Enterprise Risk Management (hereinafter referred to as ERM) process is the direct result of the Company’s decision to adopt a systematic approach for the purpose of qualifying the risk profile associated with its business activities and, consequently, plan and manage corporate performance from an integrated profitability-risk perspective. Specifically, the main objectives pursued with ERM are:

• identify corporate risks and the processes used to manage them;
• establish a correlation between risk management processes, decision-making processes and Company strategy;
• ensure that the risk management processes are adequately incorporated into the corporate processes.

Concurrently with the growing internal need for greater risk awareness and ever greater integration of risk management processes, the external environment is being characterized by steadily increasing transparency and disclosure obligations with regard to the risks associated with business activities and their profitability objectives. Specific requirements to this effect are set forth, for example, in the Corporate Governance Code for listed companies; the new international accounting principles, IFRS 7 in particular; Legislative Decrees No. 195/2007 and No. 32/2007, which were enacted to implement the Transparency Directive; Legislative Decree No. 231/2001, and subsequent amendments making it applicable to new types of crimes; and Law No. 62/2005 and Law No. 262/2005. In addition, rating agencies and the financial community in general are paying increasing attention to transparency issues and to the effectiveness of Corporate Governance and Risk Management models.

With this ERM Policy, the Company defines a Corporate Risk Model shared by management, which is representative of the types of risks expected with regard to its business activities. The Risk Model provides a reference framework and a common language for the process of identifying, assessing, controlling and reporting priority corporate risks.

Consistent with the guiding principles of the ERM Integrated Framework of the Committee of Sponsoring Organizations of the Treadway Commission (CoSo) — the best known and most widely used ERM international standard, which describes the principles, components and most important concepts concerning the management of corporate risks — risks can be classified based on the origin of the inherent risk in terms of the scope of a company’s business operations. Based on this approach, risk can be classified into three main categories:

• Risks related to the external environment;
• Process risks;
• Strategic and planning risks.

In addition, the ERM policy requires the adoption of a risk mapping and risk scoring method that assigns to each risk a risk index based on the assessment of its global impact, probability of occurrence and control level.

Working with the support of the Risk Office, the managers of the Company’s business units and departments identify and assess the risks that affect the areas under their jurisdiction and provide an initial indication of the mitigating actions they have taken. The results of this process are then consolidated at the central level into a mapping system in which risks are prioritized based on the scores assigned to them and aggregated, so as to facilitate the coordination of mitigation plans within the framework of an integrated risk management approach.

Because it is carried out concurrently with the budgeting and strategic planning activities, the Enterprise Risk Management process effectively ensures that management focuses on the company’s results by highlighting the link between expected return and risk.