Enterprise Risk Management

As an integral part of its Internal Control and Risk Management System, the Acea Group has set up an Enterprise Risk Management (ERM) framework, with a view to integrating the risk management process on an ongoing basis.
The aim of ERM is to guarantee an effective control over the entire universe of principal risks to which the Acea Group, owing to the nature of its business and the strategies adopted, is potentially exposed, ensuring that the Group’s overall exposure is duly managed in keeping with the Business Plan and Sustainability Plan objectives.

The ERM programme, which aims to enhance the integrated vision of risks and their proactive management, is intended to:

  • show the nature and relevance (probability and economic-financial and/or reputational impact) of the main risks, including those pertaining to sustainability, that might compromise the achievement of the Group’s strategic and business objectives;
  • steer the strategies and the consequent additional mitigation actions.

Find out more about our integrated strategy


The risk model

The Risk Model, which reflects the array of risk categories to which the Acea Group is potentially exposed, is derived from a careful analysis of both the socio-economic and business context in which the Group operates and the Business and Sustainability Plan objectives.
The Risk Model’s logic of representation provides for various risk type aggregation levels, with increasing granularity, based on the following elements:

  • Risk drivers: provides an indication regarding the risk source characteristics (exogenous, endogenous or associated with the Group’s guideline activities)
  • Risk category: this groups together the risks ascribable to a specific operating procedure/corporate activity or having as common characteristic the same external risk source
  • Risk type: this concerns the aggregation of risk scenarios, of a similar nature, based on a logic of prevalence that allows the risk event to be catalogued

The Acea Group risk model

Risk management process within the Acea Group

Enterprise Risk Management is the tool used by the Board of Directors and Management, through a structured process of analysis and management as regards the risk-opportunity factors to which the company is exposed, to enhance their ability to implement strategies and achieve business objectives via the conscious undertaking of risk.

ERM comprises the following main Risk Management phases 

Click to find out more
Infographic about the risk management steps in Acea Group

Identify the main risk/opportunity factors

Measure risks in terms of probability and impact on business performance and objectives

Identify the risk management strategies and the counter-measures to be put in place

Monitor the trend in risk profile and the effectiveness of established responses

  1. IDENTIFY - Identify the main risk/opportunity factors.
  2. ANALYZE - Measure risks in terms of probability and impact on business performance and objectives.
  3. PRIORITIZE & RESPOND - Identify the risk management strategies and the counter-measures to be put in place.
  4. MONITOR - Monitor the trend in risk profile and the effectiveness of established responses.

Risk categories

Owing to the nature of its business, the Acea Group is potentially exposed to various categories of risk, above all competitive and regulatory risks, risks concerning natural events and climate changes, financial market risks (external risks) and operational and environmental risks specific to each business sector, Information Technology risks and Human Resources risks (internal risks).

Risks associated with the Covid-19 health emergency

The Covid-19 emergency situation has also impacted the analysis of risks and identification of related management procedures. Right from the beginning of the pandemic, we put in place a series of actions to safeguard all stakeholders, from time to time adapting to developments in the situation.
Projects aimed at making operations in the field increasingly safe continued in 2021, such as the development of personal protective equipment with sensors that can signal proper usage (Smart PPE). We continued our comprehensive monitoring for the prevention and protection against the risk of infection from Covid-19, through the reorganisation of work activities and smart working, training courses, definition of specific protocols, dedicated communication channels, revision of risk assessment documents and health emergency plans, vaccination and screening campaigns for Acea personnel and activation of dedicated insurance coverage.
Lastly, even during this emergency phase, the pursuit of sustainable objectives remains a priority: we intend to take advantage of the opportunities that will derive from an acceleration of investments in infrastructures and renewable energy sources, particularly in connection with the European Green Deal and Recovery Fund programmes.

Cybersecurity risk management

The cyber threat is one of the national security aspects presided over by Acea. The Cyber Security Unit, part of the Technology and Solutions Department, has adopted a model in keeping with the requirements expressed by the public institutions.
In accordance with the indications received from the competent Authorities, we have invested in the expansion of measures to protect the networks and the IT, IoT and OT systems. In 2021, the cyber risk analysis programme was launched on all our services, to identify, measure and manage the risk arising from cyber threats. At the same time, with the creation of the Security Engineering structure the Vulnerability Management Programme was initiated, aimed at researching and mitigating vulnerability, in order to identify and oppose unlawful actions, using machine learning tools, advanced analytics and big data; a process of Security by design was also activated, for the implementation of security requirements during developments pertaining to all technological projects.
Lastly, the awareness and training campaign for the entire company population continued, with a view to enhancing individual awareness and skills in relation to cyber security issues.

For further information on all the risks and uncertainties to which the Acea Group companies are exposed, please read our  2021 Consolidated Financial Statement.

For further information on our central monitoring stations for particular risk categories, please read our  2021 Report on corporate governance and ownership structures.


Discover the latest news and initiatives of the Acea Group