Eni has developed and adopted a model for Integrated Risk Management (IRM) that targets to achieve a comprehensive and selective view of the Company main risks1, greater consistency among internally-developed methodologies and tools to manage risks and a strengthening of the organization awareness, at any level, that suitable risk evaluation and mitigation may influence the delivery of Corporate targets and value.
Integrated Risk Management Model
The IRM has been defined consistently with international principles and best practices. It is an integral part of the Internal Control and Risk Management System and is structured on three levels.
Its strong point is represented by risk governance that attributes a central role to the Board of Directors. The Board, with the support of the Control and Risk Committee outlines the guidelines for risk management, so as to ensure that the main corporate risks are properly identified and adequately assessed, managed and monitored.
The CEO implements the guidelines defined by the Board, overseeing the design, implementation and management of the Internal Control and Risk Management System, constantly checking its adequacy and efficacy. In particular, through the process of Integrated Risk Management, the CEO ensures the identification, assessment, management, and monitoring of major risks and the evolution of the IRM process consistently with business dynamics and the regulatory environment.
The outcome of the process for reviewing the major risks and implementing the relevant treatment plans are presented to the Risk Committee, chaired by the CEO. The CEO then presents them to the Board of Directors which in turn assesses at least once a year the adequacy and efficacy of the Internal Control and Risk Management System with reference to Eni’s fundamentals and the risk profile assumed and compatible with corporate objectives.
Our process of integrated risk management
The IRM model is implemented through a process of integrated management which is both continuous and dynamic and leverages on the risk management systems already adopted by each business unit and corporate processes.
This process includes risk assessment activities (identification, assessment and analysis), treatment, monitoring and reporting of risks. Starting from these and keeping account of their peculiarities and aims, specific tools and methodologies are applied. Based on the guidelines provided by the Board of Directors, the first step consists in the definition of the scope of risk assessment which targets the Company risks that might impact the achievement of corporate objectives (including sustainability initiatives) to the highest degree. The objectives are articulated by business areas, organizational functions, functional areas, and when necessary by processes. During the risk assessment step, the following activities are performed: (i) identification of risks, aiming at identifying and describing the major risk events; (ii) assessment and analysis, aiming at evaluating extent and reach of the identified risks, considering their triggers and impacts 2 and the associated probability of occurrence. This activity provides, among other things, useful information to evaluate whether a given risk warrants a treatment plan and, if so, what strategies and modes are the most suitable.
In the IRM model risk typologies of various kinds are considered and their classification (risk model), in line with the best practices on the marketplace, represents a constant and updated framework for integrated risk management. The model entails an articulation of risks by Country, regulatory developments, environment, finance, strategy and operations. The basic feature of the IRM model is the integrated and cross-sectional assessment of risks according to rankings of probability (from remote to probable) and impact (from negligible to extreme). In assessing the impact, management evaluates both quantitative parameters (i.e. reduction in results of operations and cash flows, and operating-productive impact) and qualitative aspects (impact on the company’s reputation, on social, environmental, health and safety aspects). The matrix of probability and impact allows calculating a risk scoring as a combination of probability and impact levels. For the main risks identified and assessed in the risk assessment activity, the most adequate risk treatment strategies are defined such as avoiding, retaining, reducing or sharing a given risk.
The monitoring of main risks and the related treatment plans through specific indicators (Key Risk Indicator, Key Control Indicator, Key Performance Indicator) allow to identify improvement areas in the management of major risks, to analyze their evolution in terms of treatment measures (also with reference to developing and updating risk management models) and to timely identify potential new risks.
In order to support decision making processes and to allow an integrated risk management, reporting activities ensure the availability and representation of information collected and processed in the model phases at the various corporate levels.