Operational risks

The nature of the business exposes the Acea Group to the risk of non-compliance with consumer-protection regulations pursuant to Italian Legislative Decree no. 206/2005, i.e. the risk mainly connected to the commission of consumer offences/unfair commercial practices or misleading advertising (through activities like omission of relevant information, dissemination of untrue information/forms of undue influence, unfair terms in commercial relations with consumers), as well as the risk of non-compliance with regulations for the protection of competition, i.e. the risk associated mainly with the prohibition of companies to establish restrictive agreements and to abuse their dominant position in the market (through activities such as market allocation, manipulation of tender procedures, restrictive agreements and other types of anti-competitive agreements, exchange of commercial/competitive information that potentially constitutes the creation of a cartel).

Acea adopted a specific Antitrust Compliance Programme and appointed a Holding Antitrust Officer. The main objective of the programme is to strengthen internal controls aimed at preventing the violation of regulations through the implementation of regulatory and organisational instruments, as well as through a more widespread dissemination of the culture of respect for the principles of fair competition and consumer rights. The main Group companies adopted the Antitrust Compliance Programme in line with the indications of the Holding Company, and set up organisational structures in which Company Antitrust Officers were appointed, given the task of managing the activities to adapt the Programme to the individual companies and supervise its implementation and maintenance.

Regulatory risks also include all non-conformities, with particular regard to the environmental impact of Acea Group (generated for example by the activities of production and / or treatment of urban waste and waste, and of health and safety at work, mitigated through the adoption of certified management systems, respectively UNI EN ISO 14001: 2015 and ISO 45001:2018), which may result in the application of administrative and / or criminal penalties, including those of a disqualifying nature.

Following the introduction of some crimes that expand the catalogue of predicate offences capable of triggering the responsibility of the Bodies pursuant to Italian Legislative Decree 231/2001, the Acea Group has started the progressive updating of the companies’ respective organisational models, starting with that of Acea SpA. In addition, preparations have begun for updating the Model for the law converting Italian Law Decree no. 124/2019 of 17 December 2019 that came into force on 25 December 2019, which introduced some tax crimes among the predicate offences pursuant to Italian Legislative Decree 231/01, and Italian Legislative Decree 75 of 14 July 2020 transposing the “PIF Directive”.

As part of the general Group Whistleblowing Procedure aimed at regulating the system with which anyone can make voluntary and discreet whistleblowing reports, guaranteeing the confidentiality of the identity of the whistleblower and thus protecting him/her from any retaliation, the rules governing Whistleblowing relating to unlawful conduct have been updated, also pursuant to Italian Legislative Decree 231/01 and/or violations of the 231 Model, expanding the possible channels of communication to include a specific IT platform, accessible by everyone (employees, third parties, etc.) on the website of each Group Company, and by employees of the Italian Companies of the Group having access to the company’s Intranet.

It should be noted that some consolidated companies (Areti, Acea Ato2, Acea Elabori and Acea Ambiente), as more fully illustrated in the related financial statements, are subject to investigations or proceedings that relate to significant cases pursuant to Italian Legislative Decree no. 231/01 concerning safety and/or the environment. There are also complaints for corporate offences relating only to Acea Ato5, related to investigations and proceedings for significant cases pursuant to Italian Legislative Decree 231/01 concerning the environment and corporate crimes. In particular, with regard to corporate offences, case 2031/16 relates to financial years 2015, 2016 and 2017 and alleges that the crimes of accounting fraud and filing fraudulent financial statements were committed by the Chairpersons of the Company and the representatives of the supervisory body of this company. During 2020, notification was received that the preliminary investigations had been completed, pursuant to art. 415 bis.

On the basis of the information currently available, taking into account the operational autonomy of the companies with respect to the parent company Acea, any responsibilities that may be ascertained upon the final outcome of the aforementioned proceedings are exclusively attributable to the companies themselves, without any repercussions on the Parent Company or other companies of the Group that are not involved.

Finally, other additional regulatory risks that may potentially be of particular relevance for the Acea Group include those arising from the Privacy Regulation (EU) 2016/679 GDPR.

The Acea Group’s compliance programme has made it possible to define and implement a Privacy Governance Model that is valid for the Group, taking the Parent Company as a privileged area of observation in its role as the linchpin of the system and supplier of services and/or centralised activities, looking at the Companies with a logic of priority at the core processes of each business area. The online training programme offered using an e-learning platform has been extended to Companies to provide a first layer of compliance with the obligation for Data Controllers to instruct data processing personnel, providing them with training on individual corporate processes as well as a particular focus on cross-cutting procedures (HR, Legal, etc.).

Corporate working groups have been set up to customise the Group Model in the individual companies, with effects on the implementation and/or fine-tuning of processes having a high impact on privacy, and initiatives have also been carried out to test compliance solutions already adopted.

With reference to the Commercial and Trading segment, the companies of the segment, in carrying out their sales activities on the electricity and gas free market, are fully exposed to the risk deriving from competition. In particular, there is the risk connected with potential economic and financial damage due to the progressive concentration of the electricity and gas market, i.e. the reduction in the number of competitors and the increase in their respective market shares, which would penalise the positioning of sales companies on the market (market share too low for the same number of customers), in the event of failure to align with the growth trend of the main competitors. This in particular in the case that a reduction in the prices of the reference commodity occurred, which could lead to exposure for a significant portion of the customer base to aggressive policies from the main competitors. Companies in this segment are also exposed to the risk of potential economic/financial impacts due to partial efficacy of commercial initiatives, intended to strengthen and increase the customer base and the margins of the companies.

Furthermore, with reference to commodities, there is the risk connected with potential economic and financial damage due to the impact of changes in the macroeconomic context, including sudden changes such as the COVID-19 pandemic or the so-called energy crunch phenomenon, which would lead, in the first case, to a reduction in the consumption of commodities by business customers and, in the second case, to phenomena of extreme volatility in commodity prices, with negative consequences on trade dynamics.

Regarding the Electricity Service for the standard-offer market, there is risk connected to development of the relevant regulatory framework, which could have a significant impact on the growth of the customer base, due to the disadvantageous position compared with other operators, as the mix of power customers of the Group companies, compared with that of the main competitors, is unbalanced in favour of the Electricity Service for the standard-offer market. This situation carries the risk of Acea Energia being penalised due to: (i) the inability to perform and commercial activity with regard to customers of the Electricity Service for the standard-offer market; (ii) being conditioned by tariffs regulated by revenues and margins of the Electricity Service for the standard market; (iii) exposure of a significant portion of its customer base to the impacts of policies that were adopted with a view to moving away from the Electricity Service for the standard market.

In the context of Acea Energia’s operating activities which, as a commercial company, are the single point of contact for end customers, both for the electricity and gas free market and for the Electricity Service for the standard-offer market, there is risk linked to the possibility of inadequate levels of performance on the part of Distributors, with consequent impacts on the sales company.

In order to ensure the success of the development initiatives envisaged in the Business Plan, the Segment companies have launched change management projects, mitigating the risks associated with the non-involvement of all personnel (staff and line personnel, managers and others).

The Segment Companies also have typical business risks deriving from an efficient and effective management of billing and credit collection procedures, where it is affected by the sub-optimal performance of electricity and gas distributors.

Information about commodity price risk and the control tools adopted is provided in the financial risks section.

Areti, making use also of the support and assistance of the Acea SpA Risk & Compliance Unit in managing the process and of the instruments of the Enterprise Risk Management system implemented in the corporate Group, carries out periodically and in a structured way an activity of identifying and assessing the main risks that can have a significant impact on the achievement of the business objectives deriving from the strategic, industrial, financial and sustainability plans.

In this regard, in compliance with the provisions of the Group Regulatory System, at the Board of Directors’ meeting held on 10 May 2022, the company approved the “LG_RM01_v.2.0 QASE” - Group Enterprise Risk Management Governance Guidelines” approved by the Board of Directors of Acea on 14 March 2022, which regulate the roles, responsibilities of the parties involved and control activities related to Enterprise Risk Management (ERM).

In order to react promptly to the strong contextual changes (internal and external) that occurred, an infra-annual Risk Assessment was carried out in June, which, starting with the risk scenarios already identified, focused on new risk factors and how they might affect the risk profile.

We can note the risks associated with the following projects with a great impact on the territory:

• Resilience Plan (investments of the network assets);
• Replacement of first-generation electronic meters with those of the second generation.

The risks refer generically to all the unknowns and to the possible problems that may arise during implementation of projects that are so articulated and extended over time (some provided for beyond the period of the Plan), also in consideration of the commitments made with ARERA; reference is therefore made to the possible critical issues associated with the work done on network infrastructures (authorisations from third-party bodies, procurement of materials, availability of firms, planning of activities, etc.) which assume greater significance for the number and concentration of the same.

Finally, Areti has adequately mitigated the risk to “typical” business areas like the integrity of its assets, adequate health and safety at work and its exposure to counterparties such as key suppliers and significant debtors and end customers for the technical services rendered.

Finally, with reference to the technical quality of the distribution service, required activities are under way to achieve the objectives indicated in the regulatory experiment approved by ARERA with determination 20/20 of 20/11/20 which establishes a commitment for Areti to achieve the quality levels already envisaged for the present by 2023, against non-disbursement of penalties that should be paid annually based on that established in the current mechanism.

The main operational risks associated with the Segment’s business may relate to property damage (damage to assets, adequacy of suppliers, negligence), personal injury and damage arising from information systems and external events.

Acea Produzione, in order to cope with any operational risks, has taken steps, since the start of its activity, to sign policies with leading insurance institutions for property damage, third party liability, employee accident policy and finally, in view of the health emergency still in progress, to activate a COVID-19 insurance policy.

Acea Produzione pays particular attention to the training of its employees, through in-person, virtual and on-line training courses, in order to make field operators and all corporate management responsible for working safely, respecting the environment and ecosystems, with ethical appropriateness and with a view to eco-sustainability.

Acea Produzione also develops and defines internal organisational procedures aimed at describing the activities and business processes of production sites/operating units where it specifies the matrix of responsibility and the context and the applicable legislation of reference; In addition, it draws up its own operating instructions for the field, which show how recurring maintenance work is to be carried out, relating the technical operating specifications to the safety guidelines to be used in operations.

The above is also realised through the implementation of an Integrated Environment and Safety Management System (hereinafter SYSTEM), adopted pursuant to ISO 14001:2015 and ISO 45001:2018, certified by an accredited external control body. The aforementioned SYSTEM was extended to ISO9001:2015 for specific corporate processes, by reaching the reference STAGE 1, which will be completed in the first half of 2023.

SYSTEM is intended to be a tool to:

• protect health and safety in the workplace and throughout the supply chain;
• protect the environment and biodiversity in ecosystems of interest;
• promote rational and knowledgeable use of energy sources and raw materials;
• promote a culture of quality and energy savings;
• achieve customer satisfaction;
• ensure continuous and proactive dialogue with other interested parties.

All this is specifically outlined in the SYSTEM policy, as declared and adopted by the companies in the Segment.

The Terni and San Vittore del Lazio plants were involved in optimisation and revamping projects that present the risks typically related to the construction of complex industrial infrastructure (construction and performance defects).

The Orvieto plants, and more recently Aprilia and Monterotondo, have completed major upgrading of their recovery processes for composting purposes, while the Sabaudia and Chiusi plants are undergoing major expansion and upgrading work that is currently being authorised (Sabaudia) or has just been authorised (Chiusi).

With regard to the management phase, the possible discontinuity of the waste-to-energy activities carried out in the Terni and San Vittore del Lazio plants and the waste treatment activities carried out by the other plants, if connected to the production of electricity under incentive programmes and the provision of public services, could have significant negative repercussions. This, both from an economic point of view and with respect to responsibility towards public and private suppliers. In this context, therefore, where not planned, a plant shutdown creates a concrete risk of failure to achieve the objectives of the industrial activity.

The waste-to-energy plants, as well as waste treatment plants to a lesser extent, are characterised by a high level of technical complexity, which requires the management of qualified resources and organisational structures with a high level of know-how. Therefore, there are specific risks with regard to the continuity of technical performance of the plants, as well as connected to the possible exodus of professional skills (not easily available on the market) having specific managerial skills in this area.

These risks have been mitigated by implementing specific maintenance and management programmes and protocols, drawn up partly on the basis of the experience acquired in plant management.

Moreover, the plants and the related activities are designed to handle certain types of waste. The failure of incoming material to meet the necessary specifications could lead to concrete operational problems, sufficient to compromise the operational continuity of the plants and give rise to risks of a legal nature.

For this reason, specific procedures have been adopted for monitoring and controlling incoming materials via spot checks and the analysis of samples pursuant to legislation in force.

For years now Acea has followed a development path focused on the use of new technologies as a driving force for the operational efficiency, safety and resilience of its industrial assets. The main business processes are now all supported by the use of advanced information systems, implemented and managed by the Group’s centralised departments to support the operations of the various companies. In this sense, the Group is therefore exposed to the risks of the adequacy of the IT infrastructure to the current or future needs of the various businesses, as well as to the risks of unauthorised access to the data processed using IT procedures, with or without intent, and in any case inappropriate or not in compliance with current regulations. Acea manages these risks with the utmost attention through specific corporate compliance structures coordinated by specialised Group safeguards.

As far as cyber security of systems, infrastructure, networks and other electronic devices is concerned within the scope of the services provided or the respective Group Companies, the current procedural and technological safeguards of the Companies themselves are implementing all the necessary actions to align their cyber security posture with the main national and international industry standards in order to increase their resilience to risks of this nature, possible repercussions in terms of business interruption and regulatory non-compliance. Technological and organisational measures have been implemented with the aim of:

• managing the threats to the organisation’s network infrastructure and information systems in order to ensure a level of security appropriate to the existing risk;
• Preventing accidents and minimising their impact on the security of the network and information systems used to provide services, so as to ensure their continuity.

To that end, note that on 2 February 2023 Acea was the victim of a Ransomware hacker attack, which affected all Corporate IT services. Essential services (including electricity and water distribution) were not impacted; with reference to work stations, only a few units were compromised, thanks to the anti-malware technology installed. Concurrent with analysis, existing security measures were strengthened and recovery was begun, including restoration of full backups, which led to a gradual recovery of functioning for all systems/services. The event involved the compromising of the company’s non-structured data repository with an impact on availability. Together with internal analysis, an investigation by the Public Prosecutor of Rome was launched and is still under way, utilising the bodies of the CNAIPIC Postal Police - PG to analyse the incident. The checks and analysis in progress in any case excluded any adjustments to the data and information supplied for preparation of the Acea Group’s financial statements at 31 December 2022.