The Internal Control And Risk Management System (ICRMS) is the set of people, tools, organizational structures and company regulations aimed at ensuring the correct management of company risks.
An essential element of Acea’s Corporate Governance, the system makes it possible to identify, measure, manage and monitor the main risks pertaining to the business. The ICRMS takes into account the recommendations of the Corporate Governance Code and is based on national and international best practices, in particular the CoSO Internal Control model and CoSO Framework, issued by the Committee of Sponsoring Organisations of the Treadway Commission.
The "Internal Control and Risk Management System Guidelines " (Italian version), which describe the system, were revised in 2019 and were approved by the Board of Directors in January 2020.
Definition of an adequate ICRMS:
The new ICRMS guidelines, which are applicable to all the group’s companies, aim to:
Risk management in the Acea Group is a structured, continual process, created in order to assess and handle using integrated logic the risks of the entire organisation, according to the risk appetite expressed, with a view to ensuring that management is provided with the information necessary to take the most appropriate decisions for the achievement of strategic and business objectives and for the protection, enhancement and creation of business value.
The ICRMS is based on the following principles:
BoD
Determines the SCIGR guidelines so as to ensure that the main risks for Acea and its subsidiaries are identified, measured and managed
DIRECTOR IN CHARGE
Implements the SCIGR guidelines and, also using the Audit Department, ensures identification of the main corporate risks and submits them periodically to the BoD
BOARD OF STATUTORY AUDITORS
Monitors legislative and procedural compliance and observance of correct principles of administration
COMPANY STAFF
Intervenes with varying responsibilities, from management to employees, to maintain an efficient process of risk identification and management, operating in observance of procedures and performing line control activities
MANAGER RESPONSIBLE FOR PREPARING THE COMPANY’S FINANCIAL REPORTS
Responsible for setting up and maintaining the Financial Information Internal Control System
RISK & COMPLIANCE - ERM
Defines the methodology for risk evaluation and prioritisation and coordinates management of the periodical Risk Assessment procedure
SUPERVISORY BODY
Responsible, with powers of initiative and intervention, for the functioning of the Organisational, Management and Control model (MOG 231), relying on the collaboration of the Ethics and Sustainability Committee for the profiles of common interest
INTERNAL AUDIT
Carries out independent audits on the operations and suitability of the IARMS, using a risk based audit plan approved by the BoD, and monitors execution of the action plans issued following the audits performed
Function Risk & Compliance
Key missions:
Manager Responsible
The Manager Responsible for preparing the company’s financial reports (the "Manager Responsible") pursuant to Italian Law 265/05 is in charge of setting up and maintaining the system of internal control financial ireporting and issuing an appropriate certification together with the Chief Executive Officer. The system of internal control over financial reporting is subject to a specific Regulation approved by the Board of Directors and supported by the Management and Control Model in accordance with Law 262/05.
Risk management is a cross-cutting process, widespread responsibilities that involve all company levels.
Conducted by those
responsible for the
operating activities where the risk lies.
First level controls are intended to ensure business processes are correctly carried out in order to prevent risks via appropriate mitigation actions.
Conducted by corporate
structures, with the aim of ensuring that the first level, checks are
adequate and operational
Second level controls comprise ongoing monitoring to assess the effectiveness of controls defined for the performance of business operations.
Independent checks
conducted by the Audit
function to verify the adequacy and operation of the SCIGR
Third level controls are entrusted to the Internal Audit Department and consist of independent assessments regarding the design and running of the internal control system and the monitoring of improvement plans defined management.
