The elements characterising the internal control and risk management system outlined in detail in the following sub-sections are monitored directly by corporate managers, each in the area under his or her jurisdiction, and, independently, by Edison’s Internal Auditing Department, which carries out risk-based auditing and assessment activities.
Organisational Model Pursuant to Legislative Decree No. 231/2001
In July 2004, Edison and its main subsidiaries adopted the organisational model pursuant to Legislative Decree No. 231/2001 (the 231 Model) designed to prevent the perpetration of the unlawful acts referred to in the corresponding Decree and, consequently, shield the Company from administrative liability. The Model, which was adopted following a detailed analysis of the Company’s operations to identify activities with a risk potential, includes a series of general principles, rules of conduct, control tools, administrative procedures, training and information programs, and disciplinary systems that are designed to prevent, as much as possible, the occurrence of the above-mentioned crimes. The 231 Model includes a general section that explains the Model’s function and principles, as well as the content of Legislative Decree No. 231/2001 and other main reference statutes, and a section that represents the 231 Model’s own core and reviews the 231 Model’s content: from its adoption to the identification of at-risk activities, the definition of protocols, the characteristics and modus operandi of the 231 Oversight Board, the information flows, the training and information activities, the penalty system and Model updates. The Model is completed by several annexes, which are an integral part of the 231 Model itself: 1) Code of Ethics, 2) Protocol to monitor the risk profiles identified in each unit, and 3) Expense Regulations and Guidelines for the management and award of powers of attorney.
In compliance with what is set forth in the 231 Model, the Board of Directors appointed an 231 Oversight Board (“OB”), which is responsible for ensuring that the 231 Model is functioning effectively and is kept up to date, and is required to report to the Board of Directors and the Board of Statutory Auditors at least once every six months. The OB is supported by the Internal Auditing Department, which established a dedicated support unit called Corporate Compliance & Ethics Function, renamed, after the general model for the design and integrated functioning of Ethics and Compliance processes was redefined, Ethics & 231 Compliance, as well as by the Legal & Corporate Affairs Division and the Human Resources & ITC Department.
Even though the law now provides the option of attributing to the Board of Statutory Auditors the functions of the OB, Edison’s Board of Directors did not find it appropriate to use this option, due to the special complexity of Edison’s organisation and the specific competencies required to perform the tasks assigned to the OB. Virtually all of the subsidiaries designated as the OB a member of their Board of Statutory Auditors, who, in the case of major subsidiaries, is supported by a qualified external consultant.
The Oversight Boards of Edison and its subsidiaries receive information flows on a regular basis (every six months) from the individuals responsible for the Model’s implementation (“Unit Officers”).
The 231 Models of Edison and the subsidiaries are continuously updated in light of specific risk assessment activities in relation to the new types of crime introduced over time into the group of presumed crimes for 231/2001 purposes, as well as in light of organisational changes within the Group. An update of Edison’s 231 Model, approved by the Board of Directors at a meeting held on December 21, 2021, was carried out in 2021, specifically to adapt it following the introduction of the offences of smuggling and embezzlement and abuse of office (if detrimental to the financial interests of the European Union) within the scope of the predicate offences for 231 purposes, through the integration of certain rules of conduct contained in the Code of Ethics and in the most impacted decision protocols. An update of the 231 Models of the subsidiaries, based on the work carried out by Edison, is in progress.
Edison’s 231 Model is available on the website www.edison.it in the Governance section.
Training programs about the 231 Model, the Code of Ethics and the Anti-corruption Guidelines continued again in 2021, also through multimedia on-line courses available on the company’s e-learning platform, to guarantee sufficiently detailed knowledge of those documents. In particular, the course dedicated to the Code of Ethics was completely revised and updated during 2021.
The 231 Model envisages that the OB is appointed by the Board of Directors and consists of two independent Directors and an external professional, with the latter acting as Chairman of the OB. All members of the OB must meet the requirements of autonomy, independence and professionalism laid down in the 231 Model and ensure continuity of action in their duties.
Edison’s OB, appointed by the Board of Directors on March 31, 2022, is currently composed of an external professional (Pietro Manzonetto), with the role of Chairman, and two independent Directors (Paolo Di Benedetto and Angela Gamba, who succeeded Nathalie Tocci on April 28, 2020), in office until the end of their term of office as Directors, and therefore until the Shareholders’ Meeting called to approve the 2021 financial statements.
On May 3, 2022, the Board of Directors, acting upon a recommendation by the Compensation Committee, confirmed for the members of the OB the same compensation amounts as in the previous mandate and confirmed the decision of awarding to the Chairman, who is not a Director, a higher compensation than the other two members. The OB has an annual budget of 250,000 euros for the performance of its duties.
The OB met six times in 2021 and held another joint meeting with the Oversight Boards of the Subsidiaries, and a meeting in 2022. At those meetings, it primarily reviewed the findings of audit engagements, the information flows it received from the Unit Officers and the 231 training and compliance activities, as well as the other ethics & compliance initiatives undertaken, and received information on the progress made in updating the Model of Edison and the subsidiaries. The OB was also constantly informed of the provisions gradually assumed by the Group Crisis Committee set up in 2020 by Edison for the purposes of containing the COVID-19 epidemic. The OB also reported every six months to the Board of Directors on the 231 Model’s adequacy and actual functioning, submitting a special report.
In 2021, the members’ average attendance at meetings of the Oversight Board was 100%. The average length of each meeting was about one hour and fifteen minutes.
Code of Ethics
In September 2003, Edison approved a Code of Ethics that is consistent with best international practices. The Code, which defines the principles and values that are the foundation of corporate ethics and the corresponding rules of conduct and implementation procedures, has become an integral part of the 231 Model. The Code, which has been approved by the Group’s subsidiaries, is binding with regard to the conduct of all Group associates (Directors, employees and anyone who acts in the Company’s name by virtue of special proxies or powers of attorney), i.e., anyone who, for any reason and irrespective of the nature of the contractual relationship, contributes to the achievement of the Company’s purposes and objectives. A copy of the Code is provided to all employees and associates of the companies that adopted it. As already stated in previous Reports, the Code of Ethics has been subject to periodic revisions and updates, the last of which took place in December 2021 with the inclusion of two new sections entitled “National and European public funding” and “Import/export and compliance with international legislation”, and the implementation of the new company names following the establishment of the single role of Ethics & Compliance Officer. The Code of Ethics is available on the website www.edison.it in the Governance section.
In May 2015, Edison’s Board of Directors, in view of the strategic choices made by the Company in recent years, which caused the Group to increase its activities outside Italy, and considering the efforts being made by national and international institutions to avert and prevent corruption crimes, adopted the “Anticorruption Guidelines”. These guidelines play a key role within the broader policy pursued by the Group to stress and further emphasise its firm position of absolute rejection and opposition for any type of corruptive conduct, also in the case of activities carried out in foreign countries. The compliance programme thus developed, which insofar as Italy is concerned complements the 231 Model, is aimed at providing all Edison associates, as well as all those who contribute to the achievement of the Company’s purposes and objectives, with a systematic framework of the existing principles and rules that must be complied with at all times to prevent the occurrence of corruptive episodes in the areas of operating activity deemed to be most at risk. The Italian and foreign subsidiaries have independently taken steps to adopt, by means of a specific resolution by their Corporate Bodies, the “Anti-Corruption Guidelines” and ensure their timely dissemination and application, updated, most recently, in 2019, to also include the conduct falling within the scope of the new offence of “trafficking in illicit influences”.
Edison provides employees, business partners, suppliers and other entities from outside the company organisation with the possibility of reporting, including anonymously, through various channels, including, from 2016, through a dedicated on-line platform.
The Whistleblowing Policy, published on the company website, governs the methods of sending, receiving, managing and processing the reports received, as well as the entities involved in the preliminary investigation activity, in respect of the protection of the whistleblower and the reported person. The Whistleblowing Policy was most recently revised in 2018 to take account of the changes introduced by Law no. 179 of November 30, 2017 (“Provisions for the protection of authors of reports of crimes or irregularities which they have become aware of as part of a public or private employment relationship”) which, with reference to the private sector, made provision, through amendments to art. 6 of Legislative Decree no. 231 of 2001, for the protection of the employee or associate who reports illicit conduct or violations of the entity’s organisation and management model, as well as the preparation (i) of one or more channels that allow reports to be sent, at least one of which is suitable to guarantee - using computerised methods - the confidentiality of the identity of the whistleblower in the management of the reporting and (ii) and disciplinary sanctions against those who violate the whistleblower protection measures.
Accounting Control Model pursuant to Law No. 262/2005 concerning financial reporting
Following the enactment of Law No. 262/2005 on the protection of investments, Edison upgraded, when appropriate, the accounting procedures it uses to prepare financial disclosures and defined the governance rules for the 262 Accounting Control Model it developed, as well as the rules to manage on an ongoing basis regular audits and certifications of the adequacy and effective operation of the 262 Model it developed and assigned responsibilities within its organisation. Additional information is provided in the section of this Report entitled “Financial Statement Reporting and Risk Management and Internal Control System in Relation to the Financial Disclosure Process”.
Tax Control Framework
Edison has a Tax Policy which sets out the basic principles and guidelines of its tax strategy and is a means of dissemination, with the aim of ensuring the correct and timely compliance with tax obligations and more generally the compliance with tax regulations, and to ensure the correct and efficient management of the Group’s taxation system. To this end, the Group has adopted and implemented a Tax Control Framework (TCF) which is part of the broader internal control and risk management system, consisting of a system for detecting, managing and monitoring tax risks in relation to the activities falling within the processes managed by the various business areas, and based on the following key features:
• a body of corporate regulations relating to the management of tax-relevant processes and a set of Risk & Control Matrices which describe the tax risks potentially applicable to corporate processes and the existing control mechanisms to mitigate the risk;
• a system of information flows between Edison’s Accounting & Tax Department and the Group’s organisational units;
• a process for the periodic control of the TCF’s adequacy and effective implementation.
The Internal Auditing Department, supporting the CFO and the Accounting & Tax Department, has the duty of assessing, through testing activities, the effectiveness and effective application of the 262 Model and the TCF model.
Safety, Environmental Protection and Quality
Edison has adopted a system of procedures and organisational structures specifically designed to manage data security issues (including those related to compliance with privacy statutes), the protection of the environment, the safety of its facilities and employees, and the quality of the services it provides.
Compliance with Other Laws and Regulations
The task of monitoring changes in and compliance with laws and regulations has been assigned to the Legal & Corporate Affairs Division (for general legal and corporate issues) and to the Institutional Affairs, Regulatory & Climate Change Division (for issues related to industry regulations), and as of May 7, 2018, to the Personal Data Protection Function (for privacy and personal data protection issues - GDPR).
Data Protection Officer
In 2018, Edison’s Board of Directors adopted a New Privacy Management Model, defining guidelines for the management of corporate and intragroup organisational relations and for the necessary coordination of operating and compliance activities with regard to the processing of personal information. To coordinate the methods for managing personal data processing and the full implementation of the new legislative context, the Board of Directors appointed a Data Protection Officer (DPO) at its meeting on May 4, 2018, entrusting said person with the appointment of the Chief Executive Officer.
Ethics & Compliance Officer
To fully achieve its mission of developing sustainable energy solutions, Edison has enacted a system of policies and procedures to ensure that all of its business activities are inspired by ethics and compliance. In this context and in line with the group policy and best practices on Ethics and Compliance as of December 14, 2018, specific Ethics & Compliance Officers were introduced to supplement institutional responsibilities on the matters of ethics and compliance, to promote the guidelines and policies concerning business ethics and company compliance, and supervise the existing system of policies and regulations, encouraging their updating and dissemination within the Company, employee training on the relative content and the monitoring of their application. In order to effectively fulfil these responsibilities, in 2018 Edison identified the person of the General Counsel, member of Comex, and Manager of the Legal & Corporate Affairs Division, as the Strategic Ethics & Compliance Officer, with the primary responsibility of identifying ethics and compliance guidelines and targets and ensuring that they are shared during meetings of the Audit and Ethics Committee as well as the Executive Committee; at the same time, the individual responsible for the Internal Auditing Department was appointed as the Operational Ethics & Compliance Officer who, within the scope of the targets and guidelines defined as noted above and under the supervision and coordination of the Strategic Ethics & Compliance Officer, ensures that the operational implementation plans are supervised and guarantees periodic reporting on their proper implementation. Effective June 2021, with the redefinition of the general model for the design and integrated functioning of Ethics and Compliance processes, the two roles were replaced by the single position of Ethics & Compliance Officer, assigned to the General Counsel, and the responsibilities previously assigned to the Operational Ethics & Compliance Officer were assigned to the new Ethics & Compliance Corporate Governance function, reporting directly to the General Counsel.
To supplement the compliance requirements of the Code of Ethics, the Company adopted an Anti-trust Code that sets forth rules of conduct that must be followed to comply with antitrust laws.
Strategic Planning, Management Control and Reporting
Edison has adopted a structured planning, management control and reporting system that it uses to define the Company’s strategies and objectives and develop its budget and business plan.
Enterprise Risk Management (ERM)
As mentioned earlier in this Report, Edison developed an integrated risk management model (ERM). The main purpose of ERM is to adopt a systematic approach to mapping a company’s priority risks, pre-emptively assess their potential negative effects and take appropriate actions to mitigate them. With this in mind, Edison adopted a risk mapping and risk scoring methodology that assigns a relevance index to each risk based on an assessment of its overall impact, probability of occurrence and level of control, and a Corporate Risk Model, developed in accordance with best industry and international practices that places within an integrated framework the different types of risks that characterise the business in which the Group operates:
- risks related to the external environment, depending on market conditions, the competitive environment within which the Group operates and changes in the political, legislative and regulatory framework;
- operational risks, related to business processes, structures and management systems, in particular with regard to production and marketing activities;
- strategic risks, which are related to the definition and implementation of the company’s strategic guidelines.
More specifically, with the coordination of the Risk Office, the managers of the various company departments map and assess risks within their scope of activity through a risk self-assessment process and provide an initial indication of the mitigating actions associated with those risks.
The results of this process are then consolidated at the central level into a mapping system in which risks are prioritized based on the scores assigned to them and aggregated, so as to facilitate the coordination of mitigation plans within the framework of an integrated risk management approach. The Enterprise Risk Management process is closely linked with the medium/long-term planning process with the aim of associating the Group’s overall risk profile with the projected profitability resulting from the plan/budget document. The results produced by the ERM and risk self-assessment are communicated at scheduled intervals at meetings of the Control and Risk Committee and the Board Directors and are used by the Internal Auditing Department as a source of information for the preparation of specific risk-based audit plans.
The ERM system is supported by a dedicated IT tool. The main risks and uncertainties affecting Edison and its subsidiaries are discussed in a separate chapter of the Report on Operations and in the notes to the consolidated financial statements, which should be referred to for the details.
Energy Risk Management
In 2006, consistent with best industry practices, the Company, based on a favourable opinion by the Control and Risk Committee (formerly the Internal Control Committee) approved an Energy Risk Policy that defines the objectives and guidelines of the Group’s risk management policy with regard to Group commodity activities. With regard to the risk tied to fluctuations in the prices of the energy commodities it uses, the derivative products and the related foreign exchange risk, the Group adopted a governance structure that includes the following: (i) approval of the overall risk ceiling for the Group by the Board of Directors of Edison; (ii) creation of a Risk Committee that comprises the Chief Executive Officer, Chief Financial Officer, Risk Officer, the manager of the Gas & Power Portfolio Management & Optimization Division and the Chief Executive Officer of the subsidiary Edison Energia with the duty of reviewing, at least once a month, the levels of assumed risks, comparing them with the ceilings approved by the Board of Directors, and approving the hedging strategies that may be appropriate if the approved ceiling has been exceeded; (iii) separation of the organization responsible for measuring and controlling risk exposure and defining risk- hedging strategies, which is centralized at Edison under the supervision of its Chief Financial Officer, for financial market transactions, at the Gas & Power Portfolio Management & Optimization Division for commodity transactions and at the Finance & Treasury Department for foreign currency transactions. For further details on risk management, please refer to the “Risks and Uncertainties” section of the Report on Operations.
System of Corporate Operating Procedures
In order to ensure that corporate directives are properly implemented and the risks entailed by the achievement of corporate objectives are minimised, Edison adopted a set of procedures that regulate internal processes, governing both activities that are carried out internally by each organisational entity and transactions with other entities.
Virtually all of Edison’s and its subsidiaries’ corporate processes are supported by information systems developed with latest-generation technologies and packages capable of supporting both the activities of the business areas and accounting and financial processes. The use of these systems is governed by internal procedures that guarantee safety, privacy and correct use. In addition, availability (i.e., the possibility of accessing data when needed) is guaranteed by a highly redundant hardware and software architecture to minimise the possibility of single point of failure; privacy (i.e., the availability of data and information only to authorised users) is assured by a segregation of duties implemented in the systems by means of user profiles; security is guaranteed by a hardware and software infrastructure designed specifically with this requirement in mind, which is maintained on an ongoing basis and tested periodically. In addition, since 2017, applications have been transferred to the data centre of EDF in Noé (France), with further strengthening of security and the level of redundancy in the case of a disaster. Applications are highly integrated in order to minimise any instance of multiple data entries and automate process flows. A portion of the services is provided under outsourcing contracts with top suppliers who are IT industry leaders. These contracts cover all of the tools (periodic reporting, organisation of the service, SLA, penalties) to facilitate management and control by Edison.
The Group’s overall organisational structure is defined by a system of Organisational Communications issued by the Chief Executive Officer, consistent with the corporate governance model. These Communications identify the managers who are responsible for the various Divisions, Departments and Business Units. In turn, the managers who are responsible for the various Divisions, Departments and Business Units develop similar Organisational Communications, which, once they are published following a review by the Chief Executive Officer, define the Group’s organisation at the operational level. Any employee can access the Organisational Communications on the Company Intranet. The Board of Directors is informed on a regular basis about major organisational changes and reviews those that are particularly significant. Delegation of Power and Authority - Executive powers are conveyed to managers through general or special powers of attorney that convey powers commensurate with their management responsibilities. The 231 Model includes guidelines that govern the awarding of powers of attorney.
In the area of human resources, Edison has adopted an official procedure to recruit and hire employees and to plan and manage employee training and uses a structured, multi-year system to plan for human resource needs. A process to evaluate the performance and professional potential and skills of executives, professionals and newly hired employees with college degrees and formal compensation policies that are based on an systematic comparison with best practices and on market conditions are also in use. In the case of executives and middle managers with significant business responsibilities, a portion of their compensation is variable and is commensurate with the achievement of objectives that are set each year in accordance with a structured performance management system. This system includes a long-term incentive programme for a selected group of Key Managers based on medium/long-term objectives. Edison has been providing training about internal controls for a number of years.
Sustainable development is a central element of Edison’s business model. The creation of value depends on the ability to combine economic objectives with the evaluation of environmental and social requirements, and generating long-lasting value for all of Edison’s relevant stakeholders. For further details on this matter, please refer to the Non-Financial Disclosure.