Menu

Enterprise Risk Management

06/08/2016 - 03:30 PM

- + Text size
Print

In order to ensure a global approach to risk management, the Telecom Italia Group has adopted an Enterprise Risk Management (ERM) process. This is a corporate risk governance tool used to identify, assess and manage risks.

Control Room Security

The Group has adopted an Enterprise Risk Management (ERM) Model which allows risks to be identified, assessed and managed uniformly, highlighting potential synergies between the parties involved in assessing the Internal Control and Risk Management System. The ERM process is designed to identify potential events that may influence the business, in order to manage risk within acceptable limits and provide a reasonable guarantee that business objectives will be achieved.

The process is managed by the ERM Steering Committee, which is chaired and coordinated by the head of the Administration, Finance and Control Department. The Steering Committee meets every three months (or when specifically required) and is intended to ensure the governing of the Group risk management process, which is designed to guarantee the operational continuity of the company's business, monitoring the effectiveness of countermeasures adopted.

The process adopted is cyclical and includes the following stages:

  • Risk Appetite is the amount and type of Risk, overall, that a company is willing to accept in the creation of value, namely in the pursuit of its strategic objectives. It is discussed and defined annually by the BoD at the sessions held to approve the Business Plan. The Risk Appetite is broken down into Risk Tolerances;
  • the Risk Tolerances represent the level of risk the Company is willing to assume, with reference to the individual objective categories (strategic, operational, compliance, reporting).

Compliance with the Risk Tolerances and Risk Appetite is monitored quarterly and reported to the BoD, after the CRC has been informed.

This phase covers the identification, definition and assessment of the risks. It starts with the fine-tuning of the Risk universe, namely the document that contains the description of the main characteristics of all the risks identified; the risks are presented, in interviews, to the process owners who, together with Risk Management, assess their severity and document the mitigating actions in order to position them on a specific 3X3 matrix (Risk and Control Panel - R&CP). The matrix dimensions are:

  • the “level of inherent risk”, namely the level of variance with respect to the Business Plan deriving from the occurrence of an event (risk);
  • “monitoring level”, based on the evaluation of the mitigating actions implemented.

This matrix allows the action priorities for the mapped risks to be set. All the risks assessed as High in the R&CP matrix form the Corporate Risk Profile (CRP). The CRP risks that have a partial or non-existent monitoring level are subject to a Root Cause Analysis aimed at grouping related risks into homogeneous improvement areas. The positioning of the risk in the matrix described above is also the result of:

  • collaboration with the Compliance department, which considers the monitoring level with regard to non-compliance aspects and
  • synergies with the Audit Department relating to the evaluation analysis of the suitability and efficiency of the mitigating actions identified.

The aim of this phase is to identify and implement the strategic options for responding to risk and to bring the risks back to or maintain them at acceptable levels. The responsibility for identifying and implementing the risk response lies with the Process Owner, with the support of AFC-RM to overcome the monitoring gaps identified in the Risk Assessment phase. A suitable risk response must be defined for each risk, in line with the action priority represented by its positioning in the Risk & Control Panel. The Risk Response is broken down into the following “sub-phases”:

  • planning,
  • execution,
  • stocktaking and measuring of the performances.

At the end of each ERM process cycle, the AFC-RM department, together with the AFC-P&C department, outlines the overall risk profile, also making reference to the effects of the mitigation actions, in order to support the new strategic planning cycle and the subsequent Risk Analysis linked to the Plan. All this information represents an input for the new business planning and therefore the definition of the Risk Appetite and the related Risk Tolerances.      

The ERM process also allows to identify emerging risks, i.e. risks which might compromise business operations in medium-long term or risks which are highly dynamic and fast-changing in a way that the lapse of time between the occurrence of an event at risk and its consequences is very short; as a way of example a recent in-depth analysis has revealed among those risks the one associated with the management of contracts: indeed inadequate governance of the whole process of the management of contracts (with both suppliers and customers) might prevent the safeguard of the company interests due to both lack of protective clauses or inadequate operational management of a contract or missed implementation of the necessary requirements and protections of information privacy (e.g. filing of contracts with sensitive data).

Inadequacy in management of contracts might lead to loss of competitive advantage in the specific market and to leakage of sensitive information: the negative impacts would apply to company’s profitability and/or objectives of reputation.

So far the company has been implemented the following mitigation actions:

  • analysis and evaluation of the monitoring tasks associated with contract management process
  • identification of gaps and pain points in the process which might need further analyzed and managed
  • implementation of projects of mitigation aimed at optimizing the process of contracts management and the needed checks.