Internal control and risk management system

[GRI - 102-12], [GRI - 102-16], [GRI - 102-23], [GRI - 102-24], [GRI - 102-25], [GRI - 102-26], [GRI - 102-27], [GRI - 102-29], [GRI - 103-1], [GRI - 103-3], [GRI - 201-1], [GRI - 201-2], [GRI - 205-1], [GRI - 301-1], [GRI - 302-1], [GRI - 303-1], [GRI - 304-1], [GRI - 305-1], [GRI - 306-1], [GRI - 308-1], [GRI - 403-1], [GRI - 406-1], [GRI - 418-1],

Consolidated report

Acea’s Internal Control and Risk Management System (SCIGR), which plays a central role in the Group’s corporate governance structure, consists of a set of people, tools and organisational structures intended to:

  • identify the risks that can affect the pursuit of the objectives defined by the Board of Directors;
  • encourage the taking of conscious decisions that are consistent with the company’s objectives, within the context of a widespread knowledge of the risks and the level of tolerance to them, legality and company values;
  • safeguard the company’s assets, the efficiency and effectiveness of its processes, the reliability of the information provided to corporate bodies and the market and compliance with internal and external regulations.

The Internal Control and Risk Management System Guidelines promote the sound management of the Group in line with the corporate objectives through a process of identification, measurement, management and monitoring of the main risks and the activation of information flows to ensure sharing and coordination between the Chart no. 14 – The architecture of the SCIGR various actors involved. The Guidelines take into account the recommendations of the Corporate Governance Code of Borsa Italiana and are inspired by existing best practices, in particular COSO – Internal Control – Integrated Framework (Committee of Sponsoring Organisations of the Treadway Commission) and are intended to:

  • Provide guidance for the actors of the SCIGR, so that the main risks pertaining to the Acea Group, including those regarding sustainability in the medium-long term, are correctly identified and adequately measured, managed and monitored;
  • identify principles and responsibilities with regards to governing, managing and monitoring risks linked to company activities;
  • Provide for control activities at all operational levels and identify tasks and responsibilities to ensure coordination between the main subjects involved in the System.

Risk management is a cross-cutting process with widespread responsibilities among all the parties of the company: the Board of Directors and the Board Committees, the Director in charge of the SCIGR (who is also the Chief Executive Officer), the Board of Statutory Auditors, all the managers and employees, the Manager in charge, the second level Supervisors, the Oversight Committee, Data Protection Officer, the Internal Audit Function and the Risk & Compliance Function.

Chart no. 14 – The architecture of the SCIGR

Chart no. 14

Chart no. 15 – The key players of the SCIGR

Chart no. 15

 

Dedicated corporate structures in the Holding Company oversee specific models for monitoring risks, including risks relating to the potential commission of crimes.
The internal control structures constantly monitor and adapt their operating models in order to oversee the relevant risks in the best manner possible.

Table no. 11 – Models and controls

Models and controls Oversight areas
Guidelines of the Management and Control Model pursuant to Law 262/2005 Risks connected with the Group’s Financial Reporting
Privacy Governance Guidelines compliance with EU Regulation 2016/679 (GDPR) and other national and European provisions on the protection of personal data
Antitrust Compliance Programme compliance with antitrust and consumer regulations and development of a corporate culture to ensure the protection of competition and consumers
Oversight of Cyber Security cyber risk, also in compliance with EU Directive 2016/1148 on European Information Systems and Networks (NIS)
Oversight of ISO45001 and ISO14001 occupational health and safety risks and environmental risks
Organisation, Management and Control Model pursuant to Legislative Decree 231/2001 risk of commission of administrative offences and crimes in the areas covered by Legislative Decree 231/2001

THE ACEA “PRIVACY GOVERNANCE MODEL”

Acea has adopted a Group Privacy Governance Model, compliant with the indications of Regulation (EU) 2016/679 on data protection (GDPR), which constitutes the organisational and control framework in which the roles and responsibilities and the implementing methods of the basic principles of the Privacy regulation are identified, with a preventive risk-based approach supported by continuous monitoring and periodic reviews.

privacy model

This Model - which is also adopted by the Subsidiary Companies - is reviewed annually on the basis of the performance in previous years and is amended to strengthen its effectiveness (Control Framework).
Acea oversees the various areas with an impact on privacy, gradually leading to the adoption of policies on remote working, data security management and compliance.
In 2022, the risk analysis of all data processing included in the Parent Company’s records was completed, aimed at ensuring the constant and prompt update of the associated risks. Processing considered to be potentially high risk, according to the specific situation, is subject to specific analyses such as the DPIA (Data Protection Impact Assessment), LIA (Legitimate Interest Assessment) and TIA (Transfer Impact Assessment). For outsourced activities, specific contractual tools were adopted to govern personal data processing and continuous monitoring of procurement activities is ensured.
During the year, the provisions issued by the Italian Data Protection Authority, such as those concerning Google analytics, were implemented, and other initiatives were launched:

  • an internal awareness campaign, with the promotion on the company intranet of “training pills” on key data protection concepts;
  • the development, in collaboration with the physical and cyber security departments of the Parent Company, of a second-level governance and monitoring tool (PSRC tool), consisting of a library of 62 risk-adapted control measures/domains, aimed at overseeing privacy security and data protection risks;
  • a GDPR compliance pilot project for suppliers, appointed as data controllers, in order to comply with the obligations of supervision and control over the processing of personal data for the Acea Group.

ANTITRUST COMPLIANCE PROGRAMME

Antitrust law and consumer protection regulations represent key compliance areas and are a major focal point for the Acea Group, which has implemented a project to revise and update the existing Antitrust Compliance Programme, with the aim of defining and formalising a structured and high-profile Antitrust Compliance Governance Model. Building on its experience and the insights offered by the enforcement practice of the Italian Antitrust Authority, the Group is able to strengthen the internal control system in this area and to refine compliance strategies, in accordance with the guidelines provided by case law and by the Italian and EU antitrust authorities. In 2022, Acea's Board of Directors approved the "Antitrust Compliance and Consumer Protection Guidelines", which aim to provide subsidiaries with a common framework that outlines the guidelines for the implementation of their own Antitrust Compliance Model, each according to its own specific characteristics. The Subsidiary Companies appoint an Antitrust Ocer who is responsible for the implementation of the Model.

CYBER RISK, INFORMATION ASSETS AND ICT SYSTEMS

The development of digital technologies for the management of infrastructure and essential services requires the parallel development of measures to combat cyber security threats.
According to scenario data, the number of cyber attacks in the energy sector in the first half of 2022 was 42% higher than the total number of attacks in 2021; during the same period, the costs incurred by companies due to cyber damage tripled, and this figure is expected to double again by 2025 At the same time, the Euro- pean Union intervened on the evolution of the sector's regulations, while in Italy the Italian Cyber Security Regulatory Authority (ACN - Agenzia per la Cybersecurity Nazionale) became fully operational. Cyber security and the development of skills in all Information Security domains (technology, legal, risk management, incident management, training, etc.) are therefore becoming highly strategic areas.
In 2022, the holding company's Cyber Security Unit continued to develop capacities and optimise its technological innovation, processes and organisation, and plays a key role in the security of the Group's operating companies. In particular, a new strategy, objectives, technologies and processes were defined in the areas of IT, OT and IoT, applying a holistic and unified approach to the increasingly challenging issue of security. During the year, the second phase of the cyber risk analysis programme was conducted, increasing the number of assets in the scope of the analysis and attempting to develop an integrated risk overview in the relevant areas. The Vulnerability Management Programme, aimed at researching and mitigating vulnerabilities was consolidated, extending the scope of the analysis and developing the supporting technologies, while the Security by Design process, which focuses on defining IT security requirements and is fundamental to developing business-oriented technology projects, was also strengthened.
Thanks to the development of Cyber Threat Intelligence, the volume of managed information deriving from within and outside the Company was significantly expanded, laying the foundations for the comprehensive and integrated monitoring of the cyber climate. In addition, the creation of a catalogue of security services, delivered as a continuous service or on demand, has improved the efficiency and cost effectiveness of the cyber risk management service, also consolidating cyber security as a competitive advantage for the business. Other measures implemented to improve the Group's cyber resilience, particularly in the Cyber Legal area, include a regulatory monitoring service aimed at identifying cyber security legislative initiatives that directly impact the context in which Acea operates, and, in this regard, proactively identifying the necessary compliance measures.
To develop institutional accreditations, meetings were held with the main institutions aimed at consolidating Acea's position as a strategic partner in the field of cyber security and as an active partic- ipant in the definition and revision of directives and implementing decrees on the subject, establishing the company as a major player both in the protection of critical infrastructures and in the security of the Energy and Water sectors.
Real-Time Security Monitoring and Incident Management capabilities were increased tenfold, partly in response to the current geopolitical scenario which strongly impacted the cyberspace in 2022. For example, in January 2022 there was a marked increase in cyber attacks from Eastern Europe, peaking in February when attacks rose from 2 million per month to over 9 million per month. Finally, the awareness and training campaign aimed at the entire company workforce to develop knowledge and individual skills on cyber security continued. Acea also continued to take part in the ECHO programme, the European network of Cybersecurity cen- tres and competence Hub for innovation and Operations, to establish a Europe-wide network of cybersecurity centres, and in the H2020 ATENA project on the security and resilience of digital infrastructures.

PROTECTION OF PHYSICAL AND DIGITAL ASSETS AND MANAGEMENT OF INTERNAL RISKS

The Security Unit is part of the Human Resources Department and is responsible for defining the guidelines and policies on the safeguarding and protection of the company's physical assets, as well as associated actions aimed at preventing fraudulent conduct and ensuring compliance with current security regulations. It also oversees the design, installation and maintenance of the Security Systems for the company sites of subsidiary companies and coordinates the implementation of plans for the continuity of operations and the management of emergencies.
The Security Unit manages the security and reception facilities and personnel and controls the Security Operating Room (SOS), the video surveillance, anti-intrusion and alarm systems; lastly, in collaboration with the relevant structures and companies of the Group it coordinates the proper performance of the activities required by judicial authorities, security institutions and the police.
In 2022, the IT equipment in the Security Operations Room was replaced; as part of the project, PAM systems using AI-based password protection and software encryption technology were developed and installed to mitigate the risks and possible effects of hacker attacks. The Group continued to monitor and manage the risk associated with the Covid-19 pandemic at its sites.

Within the framework of the Internal Control and Risk Management System, Group companies adopt their own Organisation, management and control models pursuant to Legislative Decree no. 231/2001 to prevent the risk of certain crimes or administrative offences committed in their interest or benefit by senior management or subject to the management or supervision of the latter. The development of the Models is preceded by a mapping of the business areas concerned (so-called “risk areas”) and the identification of sensitive activities and potential offences. The Models are promptly updated in response to changes in the organisation or activities carried out, or following the introduction of new cases in the catalogue of predicate offences of the aforementioned Legislative Decree. In 2022, regulatory updates to Legislative Decree no. 231/2001 concerned the entry into force of Law no. 9/2022 containing “Provisions on crimes against cultural heritage”, which introduced “Crimes against cultural heritage” (Art. 25-septiesdecies) and “Laundering of cultural assets; destruction and looting of cultural assets and landscape” (art. 25-duodevices) as new offences. For Acea, the adoption of principles and compliance with the rules set out in the Company Code of Ethics – an integral part of the 231 Model and the internal control system – are also relevant to prevent the crimes pursuant to Legislative Decree no. 231/2001, as well as representing a key reference for recipients of the Code. The Oversight Committee (OC), which is designated as a key player under the Decree, has full and autonomous powers of initiative, action and control regarding the operation, effectiveness and observance of the specific Models. Organisational controls are managed by the Internal Audit Function, which ensures the verification and monitoring of certain processes instrumental to Legislative Decree no. 231/2001, such as the circumstances in which the conditions or means for the commission of several offences could manifest, on behalf of the Oversight Committee of the subsidiaries that have adopted the Model.
The Internal Audit function carries out the controls envisaged in the Audit Plan, approved by the Board of Directors and subject to the opinion of the Control and Risk Committee. The Plan is drawn up on the basis of the analysis and prioritisation of the main risks for Acea and its subsidiaries, carried out during the Risk Assessment, also thanks to the monitoring carried out by the corporate Functions responsible for second-level controls.
In 2022, around 91% of the Plan activities concerned corporate processes deemed as exposed to the risks as per Legislative Decree no. 231/2001, amongst which the crimes regarding corruption, the environment, and in violation of injury prevention laws and the laws safeguarding occupational health.
With regard to audits of processes related to corruption risks, there are, in particular, periodic audits of sponsorships, consulting, personnel selection, purchasing and payments, and out-of-court settlements for all subsidiaries that adopted the Model pursuant to Legislative Decree no. 231/2001.
As required by the professional standards of the Institute of Internal Auditors (IIA), the audits also assess the specific fraud risks of the process analysed and test the operation of the related controls. With reference to detection audit activities, 23 Key Risk Indicators have been adopted for the purchasing area, which are analysed periodically.

REPORTS RECEIVED ON THE CODE OF ETHICS AND THE ROLE OF THE ETHICS OFFICER

In November 2022, the Board of Directors of Acea SpA adopted the new Code of Ethics, revising and updating the 2018 version. In addition to reflecting regulatory and organisational developments, the update aimed to make the Code of Ethics more usable and applicable to the various businesses within the Group, and to enable the wider dissemination of Acea's principles and values to all Group companies and individuals.

Meanwhile, references were added to the principles and standards associated with the Group's strategic initiatives, particularly those related to sustainability, and the following topics were developed:

  • the protection of human rights in every operational context, including the supply chain;
  • explicit reference to inclusion, the involvement of Acea’s personnel, and organisational well-being;
  • commitment to preserving ecosystems and biodiversity;
  • commitment to defining a climate change mitigation and adaptation strategy;
  • the importance of dialogue and discussion with stakeholders;
  • interacting with sustainability-conscious suppliers.

Acea has a procedure which can be activated by both employees and external parties, for the receipt, analysis and processing of reports – so-called “whistleblowing” reports – relating to potential violation of the law, the internal rules and the Code of Ethics, as well as issues pertaining to the Internal Control System, corporate information, the Company’s administrative responsibility (Legislative Decree no. 231/2001), fraud and conflicts of interest, while ensuring the maximum level of confidentiality and privacy when processing the reports received in order to protect the whistleblower and the reported party. The “Comunica Whistleblowing” company IT platform uses an advanced encryption system for communications and its database to guarantee compliance with required regulatory standards (Law no. 179/2017), confidentiality for whistleblowers, secure filing of documents sent and uploaded to the system and confidential management of analysis and other processes.
The reports related to alleged violations of the Code of Ethics and the SCIGR of the Group companies are sent to the Ethics Officer, the collegial body within the Group that manages the system for reporting alleged violations due to non-compliance with the law, the internal regulations and the Code of Ethics and monitors observance of the values of transparency, legality, fairness and ethical integrity in relations with all stakeholders. The Ethics Officer also prepares periodic reports on the main findings to company top management and the supervisory bodies.
In 2022, 38 reports were received by the Ethics Officer, of which 24 related to alleged violations of the Code of Ethics and 14 to other cases (commercial complaints, reports of alleged abusive connections to the water and electricity networks) and were therefore classified as 'not relevant'; 16 of these reports were sent to the Ethics Officer's e-mail address, 12 by regular mail and 10 by the Whistleblowing Platform.
The 24 “relevant” reports concerned: 4 on customer relations, 7 on health, safety and environment, 6 on procurement and supplier relations, 2 on human resources, 2 on protection of company assets, 1 on transparency and fairness, and 2 on compliance with company regulations. At the end of the investigations, 7 reports were assessed as “justified” and, therefore, the relevant corrective actions were taken, 14 reports were assessed as “unjustified”, 2 were filed as “unsubstantiated” and “unverifiable”, and 1 was classified as “suspended”, pursuant to the Whistleblowing procedure, as it concerned a labour dispute with an employee.
Failure to comply with the Code of Ethics by employees may result in disciplinary measures, as defined in the Code itself and in the OMC Model 231 adopted by Group companies, such as fines or suspension from service which may affect remuneration.
The Ethics Officer is also tasked with supporting the company departments appointed to Code of Ethics training, by promoting communication programmes and activities intended for their maximum dissemination, in addition to the Ethics and Sustainability Committee in monitoring the adequacy and implementation of the Code of Ethics, for the matter within its remit. To this end, the Ethics Officer can suggest that the Ethics and Sustainability Committee issue or amend any guidelines and operating procedures in order to reduce the risk of violation of the Code of Ethics and indicate opportunities to update it. In 2022, the Ethics Officer periodically monitored the uptake of training on the Code of Ethics and Whistleblowing. Furthermore, two live training sessions on the whistleblowing process were held by the Ethics Officer aimed at managers and senior management.

INTEGRATED ANALYSIS AND RISK MANAGEMENT METHOD

Thanks to the ERM Programme, based on the COSO framework “Enterprise Risk Management (ERM) - Integrating with Strategy and Performance” 2017, the Acea Group is improving the integrated vision and proactive management of risks.

The aim of the ERM process is to:

  • represent the type and significance (probability and economic-financial and/or reputational impact) of the main risks, also with impacts on sustainability, that may jeopardize the achievement of the Group’s strategic and business objectives;
  • addressing response strategies and subsequent additional mitigation actions.

The methodology and tools uses to identify risks and assess their severity in a consistent manner at a Group level, through the definition of the Risk Model, has further focused attention on ESG aspects and the risk scenarios associated with the issues that emerged from the Materiality Analysis (see “Communicating Sustainability: Methodological Note” for more details). During the Risk Assesment, performed at least once a year at Group level, the Risk Owners identify the risk scenarios related to the Acea material topics, highlighting the possible impact and typical control activities implemented in order to manage and mitigate them. The results of the ERM Process are also taken into account when planning actions to mitigate risks and seize opportunities by Group companies with certified Management Systems.
The Group Risk Assessment Report, drawn up downstream of the activities and according to the schedule defined above, provides the Board of Directors and Committees of Acea SpA with an overview of the Group's overall risk profile and its evolution over time. Furthermore, at the request of the supervisory and/or administrative bodies, the Risk & Compliance Function may be called upon to produce specific reports associated with risk assessments on particular areas, including ESG topics, in line with the methodology and ERM framework.
The ERM processes allow for constant interaction between the ERM Unit of the Parent Company’s Risk & Compliance Function and the focal points in the Risk & Compliance Units of the Operating Companies (see Chart no. 16).

Chart no. 16 – The ERM Unit and the corporate focal points

Chart no. 16

Table no. 12 – Acea material topics, risks and management methods

Highly significant material topic and related risk Potential impact on Acea Potential impact on stakeholders Risk management approach and associated impacts

SUSTAINABLE AND CIRCULAR WATER MANAGEMENT
adverse natural events and/or climate change (*);
authorisation delays impacting on optimal management conditions

economic/ financial

reputational

natural environment,
communities/citizens,
inhabitants served by the water service, ecosystem innovation and research/business partners/ scientific communities/
membership bodies, institutions
  • Policies, processes and procedures (relations with institutional representatives and authorisation bodies)
  • Dedicated organisational structures
  • Focus of investments
  • Business Continuity and Maintenance Plans
  • Specialist studies and analyses (ISO 17025)
  • IT security systems

ETHICS AND INTEGRITY
IN BUSINESS CONDUCT

Conduct contrary to binding regulations, internal rules and standards of reference

economic/ financial reputational

communities/citizens,
inhabitants served by the
water service, Areti users,
Acea Energia customers,
shareholders and investors, employees, suppliers/production chain, innovation and research ecosystem/ business partners/ 

scientific community/

membership bodies, institutions
  • Policies, processes and procedures (Code of Ethics – Organisation, Management and Control Model 231/2001 – Whistleblowing system)
  • People and organisation (training and communication plans)
  • Monitoring and periodic reporting

PROTECTION OF ECOSYSTEMS AND BIODIVERSITY

Exceeding the emission limits envisaged by laws and authorisation decrees;

failure to meet targets to increase renewable energy consumption;
impacts on environmental balance conditions caused by plants that unexpectedly do not comply with legal limits

economic/ financial reputational

 all stakeholder
  • Policies, processes and procedures (ISO 14001 and EMAS)
  • People and organisation (dedicated structures and training)
  • Focus of investments
  • Monitoring and support tools
  • Specialist studies and analyses
  • Periodic reporting
  • Maintenance plans

  • Remote control and remote management

    applications

CLIMATE CHANGE AND ENERGY TRANSITION

failure to build sustainable plants and to adapt operating practices to the evolution of climate change and to achieve the dissemination objectives of consumption from renewable sources (production of energy from renewable sources, resilience of the electricity grid, availability of water)

economic/ financial reputational

 all stakeholder
  • Policies, processes and procedures (ISO 50001, ISO 14001, UNI 11352 and EMAS)
  • Dedicated organisational structure
  • Specialist studies and analyses
  • Focus of investments
  • Periodic reporting

TECHNOLOGICAL INNOVATION AND DIGITAL TRANSFORMATION

operational inefficiency due to technological and innovative inadequacy;
Cyber risk/Operational Technology (*)

economic/ financial reputational

tutti gli stakeholder
  • Policies, processes and procedures (dialogue with institutional counterparts)
  • Monitoring and periodic reporting

  • People and organisation (training and skill

    consolidation)

  • IT security systems

MANAGEMENT AND TREATMENT OF WASTE FOR A CIRCULAR ECONOMY

failure to comply with regulations;
obstacles in the waste treatment and delivery market (*)

economic/ financial

natural environment, 

communities/ citizens, new generations, suppliers/  production chain, ecosystem  innovation  and research/ business partners/scientific 

communities/ membership bodies
  • Policies, processes and procedures (ISO 14001 and EMAS)
  • People and organisation (specific units and training)
  • Periodic reporting
  • Audits on customers/suppliers/partners
  • Consolidation through corporate acquisitions (M&A)
  • Monitoring and control plans

OCCUPATIONAL HEALTH AND SAFETY

accidents at work, risk of spreading disease

economic/ financial reputational

 employees
  • Policies, processes and procedures (ISO 45001, Biosafety Trust, ISO39001)
  • People and organisation (dedicated structure, training and communication plans)
  • Supplier checks

  • Extraordinary maintenance on plants serving

    the offices, office sanitisation

  • Monitoring and periodic reporting
DIALOGUE AND ENGAGEMENT WITH STAKEHOLDERS AND TERRITORY

tensions with stakeholder representatives
in the region with negative eects on the development of activities (*)

economic/ financial reputational

all stakeholder
  • Policies, processes and procedures

  • People and organisation (stakeholder

    engagement oversight activities, training and

    skill consolidation)

  • Dialogue with counterparties

SKILLS DEVELOPMENT AND EVOLUTION OF THE WORKING ENVIRONMENT

lack of adequacy both in terms of skills and composition of company workforce

 economic/ financial reputational employees
  • Policies, processes and procedures (remuneration and incentive policies)
  • People and organisation (dedicated structures and training)
  • Performance evaluation system
  • Monitoring and periodic reporting

SUSTAINABILITY IN INFRASTRUCTURE DESIGN, CONSTRUCTION AND MANAGEMENT

environmental and social impacts from inadequate and failed design, construction and/ or management of plants/ networks (*)

 economic/ financial reputational

natural environment, communities/citizens, new generations, inhabitants
served by the water service, Areti users, Acea Energia customers, shareholders and investors, suppliers/production chain, innovation and research ecosystem/business partners/ scientific community/ membership bodies, institutions
  • Policies, processes and procedures (application of sector best practice)
  • Monitoring and periodic reporting

  • People and organisation (training and skill

    consolidation)

  • Implementation of specific applications
  • Maintenance plans

CUSTOMER FOCUS

failure to reach service quality levels;
diculty in meeting customer expectations (*)

 economic/ financial reputational

communities/citizens, inhabitants served by the water service, Areti customers, Acea Energia customers
  • Policies, processes and procedures
  • Dedicated organisational structure

  • Periodic reporting (analysis of customers and services)

  • Regulatory framework and reference legislation

    monitoring

  • Investment in customer care software

SUSTAINABILITY AND CIRCULARITY ALONG THE SUPPLY CHAIN

failure to audit the procurement process; failure of suppliers to comply with

the requirements (health and safety, environmental, anti-corruption)

 economic/ financial reputational

suppliers/production chain, ecosystem innovation and research/business partners/ scientific communities/ membership bodies
  • Policies, processes and procedures
  • Quality monitoring of goods/services received
  • Qualified suppliers register
  • Specialist benchmark studies and analyses

COMPANY WELL-BEING, DIVERSITY AND INCLUSION

increased absenteeism rate; negative company climate;

possible lawsuits from employees

 reputational

employees
  • Policies, processes and procedures
  • People and organisation
  • Training and communication plans

  • Corporate welfare initiatives (e.g. flexible benefits, health check-ups)

GOVERNANCE FOR SUSTAINABLE SUCCESS

non-compliance with Legislative Decree
no. 254/2016; inadequacy of the internal regulatory system with respect to the guidelines of the Corporate Governance Code

 reputational

Shareholders and investors, employees, institutions
  • Policies, processes and procedures (updating and verification of information systems and the organisation)
  • Board committees (Ethics and Sustainability, Control and Risks)
  • Certification of data managers and reporting assurance by the auditor
  • Monitoring and periodic reporting

- ECONOMIC GOVERNANCE TOPICS - SOCIAL TOPICS - ENVIRONMENTAL TOPICS

Note: the complete list of stakeholders includes: natural environment, communities/citizens, new generations, inhabitants served by the companies of the Water area within the NFS reporting boundary, Areti users (energy distribution), Acea Energia customers (protected market, free market, gas), shareholders and investors, employees (companies in the NFS reporting boundary), suppliers/production chain, innovation and research ecosystem/business partners/scientific community/membership bodies, and institutions.
(*) Risks marked with an asterisk correspond to the main emerging risks that may have a significant impact on the Acea Group.

(*) I rischi contrassegnati con un asterisco corrispondono ai principali rischi emergenti che possono avere un impatto significativo sul Gruppo Acea.

In 2022 a new materiality analysis cycle was conducted with the direct involvement of Group managers, aimed at identifying and assessing the main material topics with impacts on the company, its performance and its development. In order to develop greater synergy with the risk assessment sphere, managers were guided by qualified experts to focus on the main opportunities associated with the identified material topics. A number of suggestions emerged from the collective discussion, including: the central role of new technologies and the ability to develop synergies with qualified players in the innovation ecosystem, not only to improve industrial processes but also to develop innovative services and products for the ecological transition; the importance of high quality relations with stakeholders, to be sought through a careful and participatory dialogue, aimed at responding to central needs; and the need to develop new skills and key areas of expertise for the managed businesses.
According to the most recent report on global risks, the Global Risk Report 2023, published by the World Economic Forum in January 2023, the findings of the 2022-2023 Global Risks Perception Survey again place the failure to mitigate and adapt to climate

change at the top of the list of “top ten global risks”, which represent the greatest long-term (ten-year) threats, followed by the risk of natural disasters and extreme weather events, and biodiversity loss and ecosystem collapse.
Acea carefully monitors this area and the initiatives undertaken have enabled the Group to maintain a strong position in the CDP (formerly Carbon Disclosure Project) rankings; furthermore, in order to expand on the analysis of the risk factors generated by climate change and their impacts on the businesses managed, the Group has continued its alignment process with the Recommendations defined by the Task Force on Climate-related Financial Disclosures with the analysis of other potential long-term risks (for more details see Relations with the Environment, section Environmental and climate risks: analyses and disclosure).
The response to the CDP Questionnaire includes an assessment of risks and opportunities associated with the activities over a short, medium and long-term horizon, the main results of which are shown in Table no. 13, including the time horizon of the scenario and the most significant implications for the company, in terms of economic-financial, reputational, environmental and customer impact.

Table no. 13 – Risks and opportunities related to climate change: CDP evidence

RISKS

      

Risk type

Type details and risk description

Most impacted business areas

Time frame

TRANSIZIONE

Rischi derivanti dal processo di transizione in atto verso un sistema economico decarbonizzato (ad esempio, ambiti normativi, tecnologici, di mercato)

Legislative/Regulatory

These risks may manifest in the following ways: higher carbon tax policies and white certificates; changes to incentive schemes; tightening of the values linked to the Emission Trading Scheme (both in terms of emissions allowed and the cost of actual emission allowances); regulatory developments that require the reduction of impacts in the conduct of business operations

Energy production (thermoelectric and waste-to-energy) Electricity grid management Water management

short-medium- long

Technology

Technological evolution may impose the reconversion of the design of processes in order to make them less polluting (for example replacing existing plants or parts thereof with other low-emission technologies)

Energy production (thermoelectric and waste-to-energy) Electricity grid management Water management

medium

Legal

These include risks related to the worsening of legal and economic sanctions for failure to comply with technical quality and performance standards in the electricity and water services (fines and incremental compliance costs)

Electricity grid management Water management

medium-long

Market

Commercial risks are attributable to the failure to adapt the products/ services of the Group companies to the new requirements of customers, who are more aware of the topics of sustainability, or to the increase in poverty, also caused by climate change, which changes the habits of consumers/customers

All businesses and Commercial in particular

medium-long

Reputational

Reputation risk derives from a negative perception of the company’s image by its stakeholders as a result of negative events/conditions associated with climate change (e.g. interruption in services caused by the scarcity of water or by extreme weather events)

The Acea Group

short/ medium term

PHYSICAL

Risks arising from the physical effects of climatic events (acute if related to episodic phenomena, or chronic if related to long-term changes)

Acute

Extreme weather events such as heavy rainfall and cloudbursts place stress on the resilience of the electricity grid (interruption to power supply) but also create diffculties in the normal management of overabundance of water in the water service: cloudbursts can also cause

a temporary service disruption in wastewater treatment plants or the entire sewerage network service. Heat waves cause peaks in demand for energy/water on the electricity distribution grid/water network.

Electricity grid management Water management Energy production

short-medium- long

Chronic

The reduction in rainfall can have a negative impact on the electricity distribution service, the production of electricity by the hydroelectric plants and the availability of water for human consumption, thus causing an increase in energy consumption for the withdrawal of water.

The risk of more frequent lightning strikes can cause interruptions to the distribution of electricity and thus economic damage. Temperature changes can cause variations in the composition of incoming waste (decomposition) in waste-to-energy plants, even changing the technological/operating needs associated with variations in emissions and the necessary processing. Incentives are also linked to the biodegradable quantity of the waste.

Electricity grid management
Water management Energy production Environment Segment

short-medium- long

OPPORTUNITIES

Drivers

Type details and opportunity description

Industrial areas affected

Time frame

Circular economy

Promotion of circular economy models and waste recovery projects, for example with waste-to-energy processes combined with material recovery (for example: bottom and fly ash recovery)

Environment Segment

medium

Development of photovoltaic plants

Diversification of production facilities with the acquisition and/or construction of photovoltaic plants that, in addition to receiving incentives for the feeding of electricity produced into the grid, allow balancing any reductions in hydroelectric production.

Production of electricity; technological innovation

medium

Increase in network resilience

Investments to improve the resilience of the electricity grid promoted by ARERA.

Distribution of electricity

medium

Market and services

Opportunities arising from the change in energy demand related to changes in peak ambient temperatures and the increase of the average temperature, with an impact on price growth and volumes sold

Energy sales

short/ medium term

In June 2022, following a project completed in 2021 aimed at identifying, selecting and analysing the most relevant climate risks for the main Group companies, the 2021 Climate-Related Disclosure of the Acea Group54 was published in accordance with the recommendations of the Task Force on Climate-related Financial Disclosures (TCFD), marking the beginning of a journey to improve awareness and financial reporting practices on the most significant aspects of climate change. The climate analysis project continued in 2022, expanding the number of Companies in the water sector involved in the analysis and increasing the physical and/or transition risks considered. For more details, see the 2022 Acea Project on the TCFD Approach box in the Relations with the Environment chapter. 

Lastly, in relation to the management of operational risks in case of emergency and the preventive and operational initiatives defined by the Group companies, refer to the chapter Institutions and the Company (paragraph Plans for emergency management).

ANALYSIS OF POTENTIAL ENVIRONMENTAL RISKS

The companies operating in the water, energy infrastructure and generation and the environment business areas that have ISO 14001:2015 certified environmental management systems identify the potential negative environmental impacts generated by the activities in relation to specific events or operations.
For the water sector, the main risks concern: acute or chronic climatic phenomena or seismic events, which could cause structural failure or malfunctions of plants and network systems managed, causing water shortages for users or accidental spillage of pollutants; inefficient operational management of water, which could cause high levels of losses with consequent excessive consumption; water stress; possible breach of water control parameters with environmental consequences; inadequate interventions on the sewage treatment system with possible contamination of the soil and water bodies; risks of fires and explosions in treatment plants related to the production of biogas, with possible impacts in terms of emissions into the atmosphere.
In the context of energy networks, the main risks are attributable to the existence of overhead and underground systems with impacts in terms of land use and subsoil, the generation of waste and impacts on ecosystems, the generation of electromagnetic fields with impacts in terms of exposure, the maintenance of transformation plants with potential soil and subsoil contamination with hazardous materials, and the maintenance and construction of plants with impacts in terms of production of special waste.
For the electricity generation activities, carried out with renewable and conventional power plants, the potential environmental risks attributable to the ordinary management of the plants or in the event of critical events like fires or explosions may lead to the accidental spillage of pollutants or the exceeding of threshold values in emissions (into the atmosphere, surface water and sewerage). An example of environmental risk derives from the potential dangerousness of structural failure of hydraulic works attributable to critical natural phenomena (such as earthquakes of particular intensity and/or millennial floods), which could affect the territory downstream of the plants (e.g. floods).
The environment sector involves the treatment, recovery and disposal of waste, the recovery of materials and energy (waste-to-energy and composting) and the collection, transport, recovery and disposal of non-hazardous waste produced by waste treatment plants. In this context, potential risks for the environment could take the form of spills of hazardous substances and consequent contamination of the soil and aquifers or surface waters, or of emissions into the atmosphere or water above specific prescribed limits, the treatment of waste not compliant with the reference legislation with repercussions on plant operations, unintentional fires that may cause interruptions to plant operations and pollution of the surrounding areas, as well as the failure to make investments or carry out works on the plants, with impact on the company’s management due to delays in the issue of authorisations; finally, environmental exposure can be caused by noise, odoour and dust produced during extraordinary maintenance of the plants.

54 The document is available online at the website www.gruppo.acea.it.

Share