Parties involved Board of Directors For several years, the Board of Directors, working with the support of the Control and Risk Committee, has defined the guidelines of the Internal Control System, which in 2013 were updated, integrating them with the risk management guidelines, which the Company has been following for some time, adopting conduct consistent with them. With respect to risk management, as explained in section of this Report entitled “Internal Control and Risk Management System,” Edison has developed an integrated risk management model in accordance with the international principles of Enterprise Risk Management (ERM), the COSO framework specifically, to identify the Company’s priority risks, pre-emptively assess their potential negative effects and take appropriate actions to mitigate them. Specifically, the risk assessment process also took into account the risks that could become significant in terms of sustainable development over the medium/ long-term. The updated risk map is then examined on a yearly basis by the Board of Directors at the meeting during which it also approves the budget for the next year. On the basis of this analysis, the Board of Directors defines the nature and level of risk compatible with the strategic objectives of the Company and the Group, including in its assessments the elements that may be relevant to medium/long-term sustainability. Starting in 2016, the Board of Directors began to review in more detail, based on the same documents provided to the Control and Risk Committee, the analyses performed and the results achieved concerning risk monitoring and management, using the integrated risk management model adopted by the Group. This is to ensure, on the one hand, a better implementation of the principle laid down in the Code and, on the other hand, compliance with the indications contained in Consob communication no. 0009517 of February 3, 2016 which required the active involvement of the administrative body in the processes of management, monitoring and control of risks deriving from derivative transactions and greater attention of the control body on the adequacy of the Company’s organisational structure to comply with EMIR rules. As in the past, the Control and Risk Committee in any event continues to carry out a preventive investigative activity, providing its assessments and recommendations to the Board of Directors. As part of the Enterprise Risk Management process, growing attention has been focused on ESG risks and on the associated mitigation actions. The integration process, which began in 2018, has been significantly strengthened, also with regard to the best reference international standards. These risks are increasingly becoming part of the risk mapping update process, allowing for its better identification and management. With respect to 2021, the Board of Directors discussed and approved the updated risk map during the approval of the 2021 budget and at that time and during the approval of the 2021 semiannual results it shared the updated risk profile, specifically with regard to the Group’s main risks: i.e., i) market risks; ii) counterparty and country risk; iii) risks inherent in the use of financial derivatives; and iv) EMIR compliance risks and the relative mitigating actions. With respect to 2022, the Board of Directors shared and approved the risk map and the risk profile, as well as the mitigation actions during the approval of the 2022 budget. Moreover, with regard to 2021 a transversal activity was carried out internally for the identification and analysis of the risk areas relating to ESG issues, the results of which were shared with the Board of Directors at its meeting on December 7, 2021. Over the years, the Company developed specific safeguards for some of the risks identified within this integrated model, with the aim of managing and limiting the impact of the various risks on the Group’s economic and financial equilibrium. More specifically, as explained in greater detail in the section of this Report entitled “Internal Control and Risk Management Systems,” in relation to the Group’s exposure to the risk of fluctuations in the prices of energy commodities handled, as well as to the exchange rate risk linked to the currencies used by the Group, the Company has for some time now employed an Energy Risk Policy. The policy defines the governance, monitoring and control environment for these risks, and envisages the adoption of specific risk limits in terms of Economic Capital for the industrial portfolio relating to the Group’s assets and contracts. Specifically, during the approval of the budget, the Board of Directors approves the document entitled “Edison Risk Management Framework for Energy Market Risk”, whereby it identifies the principles and defines the main strategies for hedging commodity risk and the relative exchange risk and establishes the risk limits to be respected during the subsequent year. With respect to 2021, the decision regarding the maximum limit of Economic Capital for the Industrial Portfolio was approved during the Board of Directors meeting on December 7, 2020 and, relating to 2022, during the meeting on December 7, 2021. As already reported in the previous Governance Reports, in relation to credit risk management, the Credit Risk Policy was recently updated in 2019. The Board of Directors then annually approves the Audit Plan and any updates during the year, prepared by the Manager of the Internal Auditing Department, after consulting the Board of Statutory Auditors and the Chief Executive Officer and with the favourable opinion of the Control and Risk Committee. With respect to 2021, approvals were provided at the December 7, 2020 and July 28, 2021 meetings; with respect to 2022 at the December 21, 2021 meeting. Chief Executive Officer and Director Responsible for Overseeing the Functionality for the Internal Control and Risk Management System As mentioned above, the Board of Directors entrusted to the Chief Executive Officer responsibility for overseeing the functioning of the internal control and risk management system. In the course of 2021, the Chief Executive Officer, with the support of the Chief Financial Officer and the Risk Officer, updated the map of the key business risks, submitting them to the Board of Directors for review at its meetings held on July 28, 2021 and December 7, 2021; and implemented the guidelines of the internal control and risk management system, overseeing the system’s design, implementation and management, verifying on an ongoing basis its adequacy and effectiveness as well as its adaptation to trends in operating conditions and in the legislative and regulatory landscape. Internal Auditing Department The Internal Auditing Department, established in May 2003, is responsible for performing internal audits, with the goal of assisting the Board of Directors, the Control and Risk Committee and the Company’s management in the pursuit of a correct functioning of the internal control and risk management system, protecting and increasing the value of the organisation, providing objective, risk-based assurance, consulting and expertise, and thus facilitating the achievement of the Company’s objectives. In February 2004, acting upon a proposal by the Chief Executive Officer, the Board of Directors assigned to the manager of the Internal Auditing Department the task of assessing the adequacy, functioning, effectiveness and consistency with the guidelines defined by the Board of Directors of the internal control and risk management system. Hierarchically, since March 2013 the Internal Auditing Department, which does not perform any operational function, reports directly to the Board of Directors (and to its Chairman for the full Board), which assigned to the General Counsel the task of providing operational coordination for the activities of the Department and its manager, serving as liaison between the above-mentioned Department and the Board of Directors, the Board of Statutory Auditors and the 231 Oversight Board. The Board of Directors then delegated to the Chief Executive Officer, in his capacity as the Director responsible for the internal control and risk management system, responsibility for ensuring that the Department is provided with the resources needed to discharge its duties and for defining the compensation of the Department’s manager, determined in a manner consistent with the Group’s management compensation policies, in accordance with general guidelines reviewed by the Compensation Committee. The current manager, Paolo Colapenna, was appointed on July 29, 2013 upon a recommendation by the Chief Executive Officer, in his capacity as the Director responsible for the Internal Control and Risk Management System, with a favourable opinion provided by the Control and Risk Committee and the input of the Board of Statutory Auditors. The compensation, which, as mentioned above, was defined by the Chief Executive Officer at the request of the Board of Directors, and, more specifically, the incentive package for this manager are consistent with the tasks assigned to him. The Department operates on the basis of a Mandate approved by the Board of Directors. The Mandate was last updated at the end of 2019. Under this mandate, again in 2021 a Department work plan was prepared, defined using risk-based methods to identify the initiatives that should be implemented, and specify the necessary resources, based on information derived from the following sources: Group’s medium-term plan/budget; Risk Assessment - Enterprise Risk Management (ERM); mapping of operating risks of the Business Divisions; 262 and 231 compliance; Tax Control Framework; recommendations from management; reports by the Chief Executive Officer and the Chairman of the Control and Risk Committee; control self-assessment activities; assessments by the Internal Auditing Department; results of previous audits; Independent Auditors. The Plan, with the relative updates during the year, was then submitted to the Control and Risk Committee and approved by the Board of Directors, as specified in the sub-section “Parties involved - Board of Directors”. The activity included the process of monitoring the actual implementation of the recommendations made within the audits (follow-up). In the course of 2021, the Department reported on a quarterly basis to the Control and Risk Committee and the Board of Statutory Auditors, which systematically participates in those meetings, about the results of its audit activities and supported the committee in performing audits and assessments of the internal control and risk management system. Also every quarter, the Department also reported to the Board of Statutory Auditors during its meetings with regard to the work performed and its assessments of the internal control and risk management system. On those occasions, the Board of Statutory Auditors was systematically informed of the results of audits performed, specifically with regard to any issues uncovered and the corresponding improvement actions agreed upon with management. The Internal Auditing Department operates in accordance with the international standards for the internal auditing profession (IPPF); this quality certification (Quality Assessment Review), achieved since 2009, was renewed in 2018 for another five years further to a review by an external, independent certifier. In 2021, the Department’s Work Plan, which concerned, inter alia, as in previous years, the reliability of the IT systems including the accounting and reporting systems, was completed as expected. The manager of the Internal Auditing Department has direct access to all information useful for discharging the assigned tasks. Moreover, owing in part to the fact that he attends the meetings of the Control and Risk Committee and the 231 Oversight Board, of which he is the Secretary, receives and assesses any additional information and assists the Control and Risk Committee in assessing the internal control and risk management system. Other Parties Involved The risk management process is coordinated by the Risk Officer, who reports to the Chief Financial Officer. The Risk Officer also provides management with support in defining the overall risk strategy and policies and in analysing, identifying, evaluating and managing risk and defining and managing the corresponding control and reporting system. For the management of the most significant risks to the company, a management committee named the Risk Committee has been established, which is described in the “Elements that Characterise the Internal Control and Risk Management System” section, in which the managers of the divisions most concerned with these issues participate, as well as the Chief Executive Officer. The Chief Sustainability Officer is involved in assessing and monitoring risks, particularly with reference to ESG risks, within the broader framework of corporate risk mapping. In the course of 2021, the Risk Officer systematically reported on the relative risk management activities to the Control and Risk Committee, the Board of Statutory Auditors and, through the Chief Financial Officer, the Board of Directors. The managers in charge of each Business Unit, Department or Division are responsible for designing and managing the internal control system for the operations under their jurisdiction and for monitoring that the system is operating effectively, in accordance with the framework defined by the Board of Directors and the instructions provided to implement those guidelines. The activity has been integrated into the processes deployed to identify, monitor and manage risks, as explained below. All employees, each within the scope of his or her responsibilities, must contribute to ensuring that the internal control and risk management system is operating effectively. With regard to the Corporate Accounting Documents Officer, reference should be made to the relative “Corporate Accounting Documents Officer” section. Board of Statutory Auditors Pursuant to law, the Board of Statutory Auditors monitors the effectiveness of the Company’s organisation, of the system of internal control and of the administrative and accounting system, as stated in the report submitted by the Board of Statutory Auditors to the Shareholders’ Meeting, which should be consulted for additional details. A comment about the flow of information between the Board of Statutory Auditors and the other governance entities is provided in the sections of this Report entitled “Rules of Operation of the Board of Statutory Auditors” and “Control and Risk Committee.” Independent Auditors As part of the Independent Auditors’ efforts to obtain, as a basis for its opinion, reasonable certainty about whether the financial statements and consolidated financial statements taken as a whole are free of material misstatement, the auditors consider the internal control relating to the preparation of the separate and consolidated financial statements in order to identify the types of potential errors and factors affecting the risks of material misstatement, and determine the nature, timing and extent of any resulting procedures. Therefore, the auditors’ understanding of the internal control system relates only to the part related to the preparation of the financial statements, and is not acquired for the purpose of expressing an opinion on the effectiveness of internal control, either its components or as a whole.