Menu

Enterprise Risk Management

05/29/2017 - 03:30 PM

- + Text size
Print

In order to ensure a global approach to risk management, the TIM Group has adopted an Enterprise Risk Management (ERM) process. This is a corporate risk governance tool used to identify, assess and manage risks.

Control Room Security

The Group has adopted an Enterprise Risk Management (ERM) Model which allows risks to be identified, assessed and managed uniformly, highlighting potential synergies between the parties involved in assessing the Internal Control and Risk Management System. The ERM process is designed to identify potential events that may influence the business, in order to manage risk within acceptable limits and provide a reasonable guarantee that business objectives will be achieved.

The process is managed by the ERM Steering Committee, which is chaired and coordinated by the head of the Security Department. The Steering Committee meets every three months (or when specifically required) and is intended to ensure the governing of the Group risk management process, which is designed to guarantee the operational continuity of the company's business, monitoring the effectiveness of countermeasures adopted.

The process adopted is cyclical and includes the following stages:

  • Risk Appetite is the amount and type of Risk, overall, that a company is willing to accept in the creation of value, namely in the pursuit of its strategic objectives. It is discussed and defined annually by the Board of Directors at the sessions held to approve the Business Plan. The Risk Appetite is broken down into Risk Tolerances;
  • the Risk Tolerances represent the level of risk the Company is willing to assume, with reference to the individual objective categories (strategic, operational, compliance, reporting).

Compliance with the Risk Tolerances and Risk Appetite is monitored quarterly and reported to the Board of Directors, after the Control and Risk Committee has been informed.

This phase covers the identification, definition and assessment of the risks. It starts with the fine-tuning of the Risk universe, namely the document that contains the description of the main characteristics of all the risks identified; the risks are presented, in interviews, to the process owners who, together with Risk Management, assess their severity and document the mitigating actions in order to position them on a specific 3X3 matrix (Risk and Control Panel - R&CP). The matrix dimensions are:

  • the “level of inherent risk”, namely the level of variance with respect to the Business Plan deriving from the occurrence of an event (risk);
  • “monitoring level”, based on the evaluation of the mitigating actions implemented.

This matrix allows the action priorities for the mapped risks to be set. All the risks assessed as High in the R&CP matrix form the Corporate Risk Profile (CRP). The CRP risks that have a partial or non-existent monitoring level are subject to a Root Cause Analysis aimed at grouping related risks into homogeneous improvement areas. The positioning of the risk in the matrix described above is also the result of:

  • collaboration with the Compliance department, which considers the monitoring level with regard to non-compliance aspects and
  • synergies with the Audit department relating to the evaluation analysis of the suitability and efficiency of the mitigating actions identified.

The aim of this phase is to identify and implement the strategic options for responding to risk and to bring the risks back to or maintain them at acceptable levels. The responsibility for identifying and implementing the risk response lies with the Process Owner, with the support of Security - Enterprise Risk Management department to overcome the monitoring gaps identified in the Risk Assessment phase. A suitable risk response must be defined for each risk, in line with the action priority represented by its positioning in the Risk & Control Panel. The Risk Response is broken down into the following “sub-phases”:

  • planning,
  • execution,
  • stocktaking and measuring of the performances.

At the end of each ERM process cycle, the Security - Enterprise Risk Management department, together with the Administration Finance Control - Planning&Control department, outlines the overall risk profile, also making reference to the effects of the mitigation actions, in order to support the new strategic planning cycle and the subsequent Risk Analysis linked to the Plan. All this information represents an input for the new business planning and therefore the definition of the Risk Appetite and the related Risk Tolerances.      

The ERM process also allows to identify emerging risks, i.e. risks which might compromise business operations in medium-long term or risks which are highly dynamic and fast-changing in a way that the lapse of time between the occurrence of an event at risk and its consequences is very short; as a way of example ‘Brexit’ is reported. On June 23, 2016, the United Kingdom (the ‘UK’) held a referendum in which voters approved an exit from the European Union.

Brexit, and even uncertainty over potential changes during any period of negotiation, could result in further instability in global financial markets and uncertainty with respect to national laws and regulations as the U.K. determines which E.U. laws to replace or replicate. Any of these effects of Brexit, among other factors, could adversely affect our business, financial condition, operating results and cash flows.

So far the company has been implemented the following mitigation actions:

  • careful monitoring of regulatory development
  • strict implementation of internal policy on financial risks, with particular focus on Great Britain counterparties.