Parties involved

BOARD OF DIRECTORS
For several years, the Board of Directors, working with the support of the Control and Risk Committee, has defined the guidelines of the Internal Control System, which in 2013 were updated, integrating them with the risk management guidelines, which the Company has been following for some time, adopting a conduct consistent with them. Based on the above-mentioned guidelines, the Board of Directors defines each year the type and level of risks compatible with the Company’s strategic objectives, as explained in the section of this Report entitled “Role of the Board of Directors.” As required by the Code, the Board of Directors regularly reviews the main risks faced by the Company and, based on the findings presented in the report prepared by the Control and Risk Committee, assesses the adequacy, efficacy and effectiveness of the internal control and risk management system at least once a year. Moreover, starting with the 2017 financial statements, EU Regulation 537/2014 required public-interest entities, such as Edison, to have their company engaged for the statutory audit of the accounts address a dedicated report on the findings of the audit to the Internal Control and Auditing Committee (in the Italian system, this body has been identified as the Board of Statutory Auditors). In turn, the Board of Statutory Auditors is responsible for sending the “additional” report to the Board of Directors accompanied by any observations. As a result, as of 2018, the assessment of these aspects is no longer the responsibility of the Control and Risk Committee, which in any event continues to be informed of them.

DIRECTOR RESPONSIBLE FOR OVERSEEING THE RESPONSIBILITY FOR THE INTERNAL CONTROL AND RISK MANAGEMENT SYSTEM
As mentioned above, the Board of Directors entrusted to the Chief Executive Officer responsibility for overseeing the functionality of the internal control and risk management system. As part of this assignment: the Chief Executive Officer, with the support of the Chief Financial Officer and the Risk Officer, mapped the key business risks, which were periodically reviewed by the Board and implemented the guidelines of the Internal Control and Risk Management System, overseeing the system’s design, implementation and management, verifying on an ongoing basis its adequacy, effectiveness and suitability for handling changes in operating conditions and in the legislative and regulatory framework. During 2019, the Chief Executive Officer made a request to the Internal Auditing Department regarding the performance of checks on a specific operational area.


CONTROL AND RISK COMMITEE
Please see the previous section of this Report for information about the jurisdiction and activities of this Committee.

INTERNAL AUDITING DEPARTMENT
The Internal Auditing Department, established in May 2003, is responsible for performing internal audits, with the goal of assisting the Board of Directors, the Control and Risk Committee and the Company’s management in the pursuit of a correct implementation of the internal control and risk management system and thus facilitate the achievement of the Company’s objectives. In February 2004, acting upon a proposal by the Chief Executive Officer, the Board of Directors assigned to the manager of the Internal Auditing Department the task of assessing the adequacy and effectiveness of the overall Internal Control and Risk Management System.
Hierarchically, the Internal Auditing Department, which does not perform any operational function from March 2013, reports directly to the Board of Directors, which assigned to the General Counsel Department the task of providing operational coordination for the activities of the Department and its manager, serving as liaison between the abovementioned Department and the Board of Directors, the Board of Statutory Auditors and the Oversight Board. The Board of Directors then delegated to the Chief Executive Officer, in his capacity as the Director responsible for the Internal Control and Risk Management System, responsibility for ensuring that the Department is provided with the resources needed to discharge its duties and for defining the compensation of the Department’s manager, determined in a manner consistent with the Group’s management compensation policies, in accordance with general guidelines reviewed by the Compensation Committee.
The current manager, Paolo Colapenna, was appointed on July 29, 2013 upon a recommendation by the Chief Executive Officer, in his capacity as the Director responsible for the Internal Control and Risk Management System, with a favorable opinion provided by the Control and Risk Committee and the input of the Board of Statutory Auditors. For reasons explained in the 2012 Governance Report, the previous manager had been appointed by the Chairman of the Board of Directors and reported to him.

The Department operates on the basis of a Mandate approved by the Board of Directors. The Mandate was last updated at the end of 2019 to take into account both the new features relating to the Internal Auditing mission as expressed in the international standards for the auditing profession (IPPF), and the organisational changes in the Audit Department that led to the creation of the new “Personal Data Protection“ function and the appointment of the Internal Auditing Manager as Operational & Compliance Officer. Under this mandate, the Department is required to prepare a work plan, defined using risk-based methods to identify the initiatives that should be implemented, and specify the necessary resources, based on information derived from the following sources: Group’s strategic plan and budget; Risk Assessment - Enterprise Risk Management (ERM); mapping of operating risks of the Business Divisions; 262 and 231 compliance; recommendations from management; reports by the Chief Executive Officer and the Chairman of the Control and Risk Committee; control self-assessment activities; assessments by the Internal Auditing Department; results of previous audits; Independent Auditors. The audit plan is then submitted to the Control and Risk Committee and, starting in 2014, approved by the Board of Directors. The Plan is updated at least once every six months. Activities include monitoring the actual implementation of the recommendations that resulted from audit engagements (follow-up).
A report is issued at the end of each audit engagement. Generally, the report is addressed to parties who have jurisdiction over and responsibility for the management of the audited processes and any other parties who may be able to properly follow-up the recommendations contained in the report and/or provide specific support in this area. An executive summary of each audit report is also sent to the Chief Executive Officer, the Chief Financial Officer, the manager of the Human Resources and Organization Department and the General Counsel. The distribution of reports that are highly confidential can be limited, based on the nature of the report. The Chief Executive Officer and the Control and Risk Committee must be promptly informed of any problems affecting the internal control and risk management system.

At least once every six months, the Internal Auditing Department reports to the Control and Risk Committee about the results of its audit engagements and supports the Committee in performing audit and assessments of the internal control and risk management system. Also once every six months it reports to the Board of Statutory Auditors with regard to the work performed and its assessments of the internal control and risk management system.

The Internal Auditing Department operates in accordance with the international standards for the internal auditing profession, as set forth in the International Professional Practices Framework (IPPF) and, since 2009, its internal auditing activities are certified in accordance with international Quality Assessment Review (QAR) methods; in 2018, this certification was renewed for another five years further to a review by an external, independent certificator.

The manager of the Internal Auditing Department has direct access to all information useful for discharging the assigned tasks. Moreover, owing in part to the fact that he attends the meetings of the Control and Risk Committee and the Oversight Board, of which he is the Secretary, receives and assesses any additional information and assists the Control and Risk Committee in assessing the internal control and risk management system.

OTHER PARTIES INVOLVED
The risk management process is coordinated by the Risk Officer, who reports to the Chief Financial Officer. The Risk Officer also provides management with support in defining the overall risk strategy and policies and in analyzing, identifying, evaluating and managing risk and defining and managing the corresponding control and reporting system.
The managers in charge of each Business Unit, department or division are responsible for designing and managing the internal control system for the operations under their jurisdiction and for monitoring that the system is operating effectively, in accordance with the framework defined by the Board of Directors and the instructions provided to implement those guidelines. As explained below, this activity has been integrated into the processes deployed to identify, monitor and manage risks. All employees, each within the scope of his or her responsibilities, must contribute to ensuring that the Internal Control and Risk Management System is operating effectively.

BOARD OF STATUTORY AUDITORS
Pursuant to law, the Board of Statutory Auditors monitors the effectiveness of the Company’s organization, of the system of internal control and of the administrative and accounting system, as stated in the report submitted by the Board of Statutory Auditors to the Shareholders’ Meeting, which should be consulted for additional details. A comment about the flow of information between the Board of Statutory Auditors and the other governance entities is provided in the sections of this Report entitled “Rules of Operation of the Board of Statutory Auditors” and “Control and Risk Committee.”