Internal control and risk management system

[GRI - 102-12], [GRI - 102-16], [GRI - 102-23], [GRI - 102-24], [GRI - 102-25], [GRI - 102-26], [GRI - 102-27], [GRI - 102-29], [GRI - 103-1], [GRI - 103-3], [GRI - 201-1], [GRI - 201-2], [GRI - 205-1], [GRI - 301-1], [GRI - 302-1], [GRI - 303-1], [GRI - 304-1], [GRI - 305-1], [GRI - 306-1], [GRI - 308-1], [GRI - 403-1], [GRI - 406-1], [GRI - 418-1],

Acea’s Internal Control and Risk Management System (SCIGR), which plays a central role in the Group’s governance structure, consists of a set of people, tools and organisational structures intended

  • identify the risks that can affect the pursuit of the objectives established by the Board of Directors;
  • encourage the taking of conscious decisions that are consistent with the company’s objectives, within the context of a knowledge of the risks and the level of tolerance to them, legality and company values;
  • safeguard the company’s assets, the efficiency and effectiveness of its processes, the reliability of the information provided to corporate bodies and the market and compliance with internal and external regulations.

The Internal Control and Risk Management System Guidelines promote the sound management of the Group in line with the corporate objectives through a process of identification, measurement, management and monitoring of the main risks and the activation of information flows to ensure sharing and coordination between the various actors involved. The Guidelines take into account the recommendations of the Corporate Governance Code of Borsa Italiana and are inspired by existing best practices, in particular COSO – Internal Control – Integrated Framework (Committee of Sponsoring Organisations of the Treadway Commission) and are intended to:

  • provide guidance to ensure that the main risks related to the Acea Group, including medium to long-term sustainability risks, are properly identified, measured, managed and monitored;
  • identify principles and responsibilities with regards to governing, managing and monitoring risks linked to company activities;
  • Provide for control activities at all operational levels and identify tasks and responsibilities to ensure coordination between the main subjects involved in the System.

Risk management is a transversal process, with responsibilities spread over all the company bodies: the Board of Directors and the internal Board Committees, the Director in charge of the SCIGR (coinciding with the Chief Executive Officer), the Board of statutory Auditors, all managers and employees, the Executive Responsible, the second-level principals within the risk Management, Compliance & Sustainability function, the Supervisory Body and the Internal Audit function

Chart no. 14 – The architecture of the SCIGR

Chart n 14

Chart no. 15 – The key players of the SCIGR

Chart no. 15

The Parent Company’s internal control structures constantly monitor and adapt their operating models in order to oversee the relevant risks in the best manner possible.

Table no. 14 – Models and controls

Models and controls Oversight areas
Guidelines of the Management and Control Model pursuant to Law 262/2005 Risks connected with the Group’s Financial Reporting
Privacy Governance Guidelines risks concerning the protection of personal data in compliance with EU Regulation 2016/679 (GDPR) and other national and European provisions and definition of the privacy model
Antitrust Compliance Programme risks arising from the breach of antitrust law and consumer law, and the development of a business culture to ensure the protection of competition and the consumer
Oversight of Cyber Security cyber risk, also in compliance with EU Directive 2016/1148 on European Information Systems and Networks (NIS)
Oversight of ISO45001 and ISO14001 occupational health and safety risks and environmental risks
Organisation, Management and Control Model pursuant to Legislative Decree 231/2001 risk of commission of administrative offences and crimes in the areas covered by Legislative Decree 231/2001
Anti-Corruption Compliance Programme risk of commission of bribery offences (active or passive)

THE ACEA “PRIVACY GOVERNANCE MODEL”

Acea has adopted a Group Privacy Governance Model, compliant with the indications of Regulation (EU) 2016/679 on data protection (GDPR), which constitutes the organisational and control framework in which the roles and responsibilities and the implementing methods of the basic principles of the Privacy regulation are identified, with a preventive risk-based approach supported by continuous monitoring and periodic reviews.

privacy model

This Model - which is also adopted by the Subsidiary Companies - is reviewed annually on the basis of the performance in previous years and is amended to strengthen its effectiveness (Control Framework).
Acea oversees the various areas with an impact on privacy, gradually leading to the adoption of policies on remote working, data security management and compliance.
In 2022, the risk analysis of all data processing included in the Parent Company’s records was completed, aimed at ensuring the constant and prompt update of the associated risks. Processing considered to be potentially high risk, according to the specific situation, is subject to specific analyses such as the DPIA (Data Protection Impact Assessment), LIA (Legitimate Interest Assessment) and TIA (Transfer Impact Assessment). For outsourced activities, specific contractual tools were adopted to govern personal data processing and continuous monitoring of procurement activities is ensured.
The following were also carried out in 2023:

  • an in-company awareness campaign on key data protection concepts; mini-training videos posted on the company intranet;
  • an online training campaign for privacy specialists, to provide expertise on GDPR and the Group Privacy Governance Model;
  • a second GDPR compliance pilot projectfor suppliers, appointed as data controllers, in order to comply with the obligations of supervision and control over the processing of personal data for the Acea Group;
  • a privacy support activity implementing the Whistleblowing legislation.

ANTITRUST COMPLIANCE PROGRAMME

Compliance with antitrust law and adherence to consumer protection legislation are core values for the Acea Group, which for years has had an Antitrust Compliance Programme to prevent unlawful conduct. The Programme, also implemented in the Subsidiaries, makes it possible to make use not only regulatory developments, but also the insights available from the application practices of the national and European Competition Authorities and the guidance of case law, thus helping to strengthen the internal control system and refine compliance strategies with a view to risk prevention and continuous improvement.
Acea provides its subsidiaries, through the “Antitrust Compliance and Consumer Protection Guidelines”, with guidelines for the implementation, within a common framework, of their specific Antitrust Compliance Models. In December 2023, by resolution of the Board of Directors, Acea also approved the updating of theAntitrust and Consumer Protection Regulation Compliance Manual”, which is the main regulatory tool of the Antitrust Compliance Programme. In addition to reporting the main elements of the regulations provided to protect Competition and Consumers, the Manual sets out the relevant cases and conducts and the main rules of conduct to be observed by all addressees, and recalls and applies the principles of the Acea Group Code of Ethics, which enshrines the protection of competition and consumers as founding values of Acea's and the Group's Companies' business.

CYBER RISK, INFORMATION ASSETS AND ICT SYSTEMS

The development of digitalisation in the management of essential infrastructures and services continues to drive the evolution of the business environment, and concomitantly creates a need to effectively address the growth of cyber threats.
According to the most recent figures, Italy has witnessed a steady increase in cyber attacks, with an 86% increase in the first half of 2023 compared to 2018. The frequency and severity of attacks have increased, due also to the Russia-Ukraine conflict, and in the year under review Italy experienced a significant increase in cyber crime incidents (+40%) compared to 2022, which was above the global average. The European Union has continued to contribute to the development of industry legislation and the National Cybersecurity regulatory Authority (ACN) is operational nationally.
Cybersecurity and skills development are crucial in all areas of Information Security, so a continuous improvement process is underway, fuelled by analysis of the external environment and the lessons learned from the various incidents.
During 2023, the Acea Cyber Security Unit continued to consolidate its role as linchpin for the security of the Group's operating companies. New strategies, goals, technologies and processes were set in the IT, OT and IoT sectors, based on a holistic and unified approach to security. Real Time Security Monitoring and Incident Management capabilities have been increased tenfold, in response to the challenges of the current geopolitical environment that continues to influence the cyber landscape. The Vulnerability Management was further strengthened, emphasising vulnerability research and mitigation, together with the Security by Design process, which is crucial for defining cybersecurity requirements in business-oriented technology projects. The development of Cyber Threat Intelligence has led to a significantly increase in the volume of information managed, allowing the integrated monitoring of the “'cyber climate”. Other interventions aim to improve the Group's cyber resilience, such as the Cyber Legal area, with a regulatory monitoring service to identify cybersecurity legislative initiatives that directly impact the Acea environment.
In 2023, the awareness & training campaign to raise individual cybersecurity awareness and skills continued, as did Acea's participation in the European ECHO programme (European network of cybersecurity centres and competence hub for innovation and operations), which contributes to the security of digital infrastructures at European level.

PROTECTION OF PHYSICAL AND DIGITAL ASSETS AND MANAGEMENT OF INTERNAL RISKS

The mission of the Security & Cyber Defence function is to protect tangible and intangible corporate assets, and to ensure the definition, implementation and control of activated policies for the physical protection of the Group's real estate assets. It also oversees the Security Operations Room (Control Room), the security and reception staff and video surveillance/intrusion systems, and coordinates the implementation of business continuity and emergency management plans.
Finally, the Function cooperates with the competent structures and Group Companies in coordinating the correct performance of activities required by judicial authorities, security institutions and law enforcement agencies.

Within the framework of the Internal Control and Risk Management System, Group companies adopt their own Organisation, management and control models pursuant to Legislative Decree no. 231/2001 to prevent the risk of certain crimes or administrative offences committed in their interest or benefit by senior management or subject to the management or supervision of the latter. The development of the Models is preceded by a mapping of the business areas concerned (so-called “risk areas”) and the identification of sensitive activities and potential offences. The Models are promptly updated in the event of changes in the organisational arrangement or activities carried out, or following the introduction of new offences in the catalogue of predicate offences.
In 2023 Acea SpA carried out a complete revision of the Model as regards the risk assessment methodology, in order to bring it into line with the other methodologies used in the company (e.g. ERM, antitrust, anti-corruption), and reworked the Special Section using a “process driven” approach to make the document more usable and facilitate its application. The new Acea Spa model will constitute the reference framework for the models of the Group companies.
The Supervisory Body (SB), envisaged as an essential actor by Legislative Decree 231/2001, has full and autonomous powers of initiative, intervention and control in the functioning, effectiveness of and compliance with the specific Models. An organisational control mechanism is active in the Internal Audit Function and ensures, for the companies that have mandated it, the verification and monitoring of certain processes that are instrumental under the Decree, i.e. in whose scope the conditions or means for the commission of a multiplicity of offences could be created, on behalf of the Supervisory Board of the subsidiaries.
The adoption of the principles and the observance of the rules provided by the company's Code of Ethics – an integral part of the 231 Model and the Internal Control System – are also relevant for preventing the offences referred to in the Decree.

ANTI-CORRUPTION COMPLIANCE PROGRAMME

The Group is pursuing the implementation of an anti-corruption compliance programme, which was launched via the definition of a Group framework. The first pillar of the framework (Values and Regulatory System) includes the Acea Group's Anti-corruption Guidelines, adopted by the Board of Directors of Acea SpA. It standardises and integrates the anti-corruption compliance measures already widespread within the internal Regulatory System (Code of Ethics, 231 Model, regulatory system, etc.) into an organic framework of rules and principles aimed at countering the risks of unlawful practices. The Anti-Bribery Guideline regulates roles, responsibilities and control activities relating to anti-corruption, such as the principles of conduct to be observed in sensitive areas that may be most exposed to corruption risk, the applicable controls and the information and reporting flows relating to the implementation and monitoring of the framework. The Guidelines apply to the Group Companies and to suppliers, partners, business associates and more generally all parties who act in the name and on behalf of Acea or the Group Companies, or the parties they come into contact with in the course of their business. In each company, an “Anti-Corruption Manager” (ACM) is appointed to ensure compliance oversight for the prevention of corruption. The role also reports to the corporate control bodies. The Parent Company also implemented a Corruption prevention management system, which obtained UNI ISO 37001:2016 certification in 2023 and adopted a specific Anti-Corruption Policy, approved by the Board of Directors in March.

The Internal Audit function carries out the controls envisaged in the Audit Plan, approved by the Board of Directors and subject to the opinion of the Control and Risk Committee. The Plan is drawn up on the basis of the analysis and prioritisation of the main risks for Acea and its subsidiaries, carried out during the Risk Assessment, also thanks to the monitoring carried out by the corporate Functions responsible for second-level controls.
In 2023, around 99% of the Plan activities concerned corporate processes deemed as exposed to the risks as per Legislative Decree no. 231/2001, amongst which the crimes regarding corruption, the environment, and in violation of injury prevention laws and the laws safeguarding occupational health.
With regard to audits of processes related to corruption risks, there are, in particular, periodic audits of sponsorships, consulting, personnel selection, purchasing and payments, and out-of-court settlements for all subsidiaries that adopted the Model pursuant to Legislative Decree no. 231/2001.
As required by the professional standards of the Institute of Internal Auditors (IIA), the audits also assess the specific fraud risks of the process analysed and test the operation of the related controls. With reference to detection audit activities, 23 Key Risk Indicators have been adopted for the purchasing area, which are analysed periodically.

REPORTS RECEIVED ON THE CODE OF ETHICS AND THE ROLE OF THE ETHICS OFFICER

The Code of Ethics, revised and updated in 2022, is conceived to allow the widespread dissemination of Acea principles and values to all the Companies and people of the Group. The Code incorporates references to principles and standards underlying the strategic initiatives for the Group, in particular with regard to sustainability and the valorisation of issues such as the safeguarding of human rights in every operating context, including the supply chain; people’s involvement and organisational wellbeing; inclusion; the safeguarding of ecosystems and biodiversity; the commitment to climate change mitigation and adaptation; dialogue with stakeholders; and the promotion of sustainability with regard to suppliers.
In November 2023, the Board of Directors of Acea SpA adopted the new “Acea Group Whistleblowing Policy”, in compliance with Legislative Decree no. 24 of 10 March 2023, transposing EU Directive 2019/1937, and with the indications of the “Guidelines on the protection of persons who report breaches of Union law and protection of persons who report breaches of national regulatory provisions” approved by ANAC Resolution no. 311 of 12 July 2023. Acea has a consolidated system for receiving and managing reports ( “Whistleblowing”), which can beused both by employees and external parties, in connection with the commission of administrative, accounting, civil or criminal offences, non-compliance with the law, internal rules and the Code of Ethics, as well as issues related to the Internal Control System, Corporate Reporting, the company’s administrative liability (Legislative Decree no. 231/2001), fraud and conflicts of interest. The system ensures the highest degree of confidentiality and privacy in the processing of reports, to protect the whistleblower, the reported person and the persons involved.
The “Comunica Whistleblowingcompany IT platform uses an advanced encryption system for communications and its database to guarantee compliance with required regulatory standards (Legislative Decree no. 24/2023), confidentiality for whistleblowers, secure filing of documents sent and uploaded to the system and confidential management of analysis and other processes.
The reports related to alleged violations of the Code of Ethics and the SCIGR of the Group companies are sent to the Ethics Officer, the autonomous collegial body within the Group that manages the system for reporting alleged violations due to non-compliance with the law, the internal regulations and the Code of Ethics and monitors observance of the values of transparency, legality, fairness and ethical integrity in relations with all stakeholders. The Ethics Officer also prepares periodic reports on the main findings to company top management and the supervisory bodies.
In 2023, with reference to the scope under review58, the Ethics Officer received 42 reports, of which 15 related to alleged breaches of the Code of Ethics, 14 concerned alleged breaches of the SCIGR and 13 related to other cases (commercial complaints, reports of alleged unauthorised water and electricity connections, etc.) and therefore, these were qualified under the procedure as “not relevant”. As regards the acquisition channels, 20 reports were received through the” Comunica Whistleblowing” platform, 15 by ordinary mail, 5 by the Ethic Officer’s email address and 2 by email to entities other than the Ethics Officer.
The 24 “relevant” reports concerned: 11 Human resources, 4 Supplier relationships, 2 potential conflicts of interest, 2 Privacy, 1 Health, Security and Environment (HSE), 1 Procurement, 1 Business, 1 Corporate assets and 1 other areas.

At the end of the investigations, 15 reports were assessed as “unjustified”, 1 was “filed” as “unsubstantiated and unverifiable”, and 1 was “suspended”, pursuant to the Whistleblowing procedure, as the Company had filed a complaint with the competent authorities with reference to the reported facts.
Regarding the remaining 7 reports outstanding, the preliminary verifications and ascertainments have been completed by the Technical Secretariat, which will then suggest that the Ethics Officer assess them, pursuant to the procedure in force, with 2 of them to be “filed” as generic and unsubstantiated, 1 as “justified” with improvement actions partly already implemented by the Company and 4 as “unjustified”.
Note that, following the publication of press articles in February 2023 relating to alleged conduct contrary to the provisions of the company’s Code of Ethics, the Board of Directors instructed the Ethics Officer to carry out the necessary investigations. It was found that the matters investigated did not constitute breaches of the Code of Ethics and were classed as unjustified.
Failure to comply with the Code of Ethics by employees may result in disciplinary measures, as defined in the Code itself and in the OMC Model 231 adopted by Group companies, such as fines or suspension from service which may affect remuneration.
The Ethics Officer is tasked with supporting the company departments appointed to Code of Ethics training, by promoting communication programmes and activities intended for their maximum dissemination, in addition to the Ethics and Sustainability Committee in monitoring the adequacy and implementation of the Code of Ethics, for the matter within its remit. To this end, the Ethics Officer may propose that the Committee issue or amend any guidelines and operating procedures to reduce the risk of breaches of the Code of Ethicsand indicate whether they should be updated. In 2023, the Ethics Officer periodically monitored the use of training on the Code of Ethics and on Whistleblowing.

HUMAN RIGHTS POLICY

The protection of human rights is of central importance in responsibly-run business, especially for companies whose activities affect a wide range of stakeholders. Institutions and civil society are increasingly asking organisations to take more responsibility for the protection of human rights. This trend is fuelled also by evidence highlighted in the press, not only in relation to developing countries or countries with limited democratic structures. The matter is also carefully considered by markets and analysts as an aspect of risk management of organisations. Strengthened by this awareness, which is based on the Group's already consolidated values and systems, including the Code of Ethics, the Equality, Diversity and Inclusion Policy, stakeholder engagement principles and tools, as well as the occupational health and safety management systems, the Acea Board of Directors approved the Human Rights Policy in December 2023.
The Policy, which refers to the international and national regulatory framework, sets out 20 principles relating to human rights in two fundamental contexts: the internal work environment and the wider outside community and the environment. It is directed at the members of the management and control bodies of Acea SpA and other Group companies, including those abroad, as well as managers, employees, collaborators and suppliers contractually linked to the Group for any reason, with regard to their activities and within the limits of their responsibilities. The implementation of the Policy rests on a structured governance process through which Acea undertakes training and dissemination actions, monitoring of risks and impacts, and reporting through the “Comunica whistleblowing” platform.

INTEGRATED ANALYSIS AND RISK MANAGEMENT METHOD

Thanks to the ERM Programme, based on the COSO frameworkEnterprise Risk Management (ERM) - Integrating with Strategy and Performance” 2017, the Acea Group is improving the integrated vision and proactive management of risks. The aim of the ERM process is to:

  • represent the type and significance (probability and economic -financial and/or reputational impact) of the main risks, also with impacts on sustainability, that may jeopardize the achievement of the Group’s strategic and business objectives;
  • addressing response strategies and subsequent additional mitigation actions.

The methodology and tools used to identify risks and assess their severity consistently at Group level through the established Risk Model, are developed with increasing attention towards ESG aspects. During the risk assessment process, carried out at least annually, the “risk owners” identify risk scenarios related to Acea's material issues and pinpoint possible impacts and the control measures to manage and mitigate them. The results of the ERM Process are also taken into account when planning actions to mitigate risks and seize opportunities by Group companies with certified Management Systems.
The Group Risk Assessment Report provides the Board of Directors of Acea Spa and the Committees with a summary view of the Group's overall risk profile and how it evolves over time. At the request of the supervisory and/or administrative bodies, the Risk Management, Compliance & Sustainability Function may be called upon to produce specific reports associated with risk assessments on particular areas, including ESG topics, in line with the methodology and ERM framework.
The ERM process involves constant interaction between the ERM Unit of the Parent Company's Risk Management, Compliance & Sustainability and the focal points of the corresponding Units in the operating companies (see Chart 16)

Chart no. 16 – The ERM Unit and the corporate focal points

Chart 16

Table no. 15 – Acea material topics, risks and management methods

Highly significant material topic and related risk Potential impact on Acea Potential impact on stakeholders Risk management approach and associated impacts

SUSTAINABLE AND CIRCULAR WATER MANAGEMENT
adverse natural events and/or climate change (*);
authorisation delays impacting on optimal management conditions

economic/ financial

reputational

natural environment,
communities/citizens,
inhabitants served by the water service, ecosystem innovation and research/business partners/ scientific communities/
membership bodies, institutions
  • Policies, processes and procedures (relations with institutional representatives and authorisation bodies)
  • Dedicated organisational structures
  • Focus of investments
  • Business Continuity and Maintenance Plans
  • Specialist studies and analyses (ISO 17025)
  • IT security systems

ETHICS AND INTEGRITY
IN BUSINESS CONDUCT

Conduct contrary to binding regulations, internal rules and standards of reference

economic/ financial reputational

communities/citizens,
inhabitants served by the
water service, Areti users,
Acea Energia customers,
shareholders and investors, employees, suppliers/production chain, innovation and research ecosystem/ business partners/ 

scientific community/

membership bodies, institutions
  • Policies, processes and procedures (Code of Ethics – Organisation, Management and Control Model 231/2001 – Whistleblowing system Antitrust Compliance Programme)
  • People and organisation (training and communication plans)
  • Monitoring and periodic reporting

PROTECTION OF ECOSYSTEMS AND BIODIVERSITY

Exceeding the emission limits envisaged by laws and authorisation decrees;

failure to meet targets to increase renewable energy consumption;
impacts on environmental balance conditions caused by plants that unexpectedly do not comply with legal limits

economic/ financial reputational

 all stakeholder
  • Policies, processes and procedures (ISO 14001 and EMAS)
  • People and organisation (dedicated structures and training)
  • Focus of investments
  • Monitoring and support tools
  • Specialist studies and analyses
  • Periodic reporting
  • Maintenance plans

  • Remote control and remote management

    applications

CLIMATE CHANGE AND ENERGY TRANSITION

failure to build sustainable plants and to adapt operating practices to the evolution of climate change and to achieve the dissemination objectives of consumption from renewable sources (production of energy from renewable sources, resilience of the electricity grid, availability of water)

economic/ financial reputational

 all stakeholder
  • Policies, processes and procedures (ISO 50001, ISO 14001, UNI 11352 and EMAS)
  • Dedicated organisational structure
  • Specialist studies and analyses
  • Focus of investments
  • Periodic reporting

TECHNOLOGICAL INNOVATION AND DIGITAL TRANSFORMATION

operational inefficiency due to technological and innovative inadequacy;
Cyber risk/Operational Technology (*)

economic/ financial reputational

tutti gli stakeholder
  • Policies, processes and procedures (dialogue with institutional counterparts)
  • Monitoring and periodic reporting

  • People and organisation (training and skill

    consolidation)

  • IT security systems

MANAGEMENT AND TREATMENT OF WASTE FOR A CIRCULAR ECONOMY

failure to comply with regulations;
obstacles in the waste treatment and delivery market (*)

economic/ financial

natural environment, 

communities/ citizens, new generations, suppliers/  production chain, ecosystem  innovation  and research/ business partners/scientific 

communities/ membership bodies
  • Policies, processes and procedures (ISO 14001 and EMAS)
  • People and organisation (specific units and training)
  • Periodic reporting
  • Audits on customers/suppliers/partners
  • Consolidation through corporate acquisitions (M&A)
  • Monitoring and control plans

OCCUPATIONAL HEALTH AND SAFETY

accidents at work, risk of spreading disease

economic/ financial reputational

 employees
  • Policies, processes and procedures (ISO 45001, Biosafety Trust, ISO39001)
  • People and organisation (dedicated structure, training and communication plans)
  • Supplier checks

  • Extraordinary maintenance on plants serving

    the offices, office sanitisation

  • Monitoring and periodic reporting
DIALOGUE AND ENGAGEMENT WITH STAKEHOLDERS AND TERRITORY

tensions with stakeholder representatives
in the region with negative eects on the development of activities (*)

economic/ financial reputational

all stakeholder
  • Policies, processes and procedures

  • People and organisation (stakeholder

    engagement oversight activities, training and

    skill consolidation)

  • Dialogue with counterparties

SKILLS DEVELOPMENT AND EVOLUTION OF THE WORKING ENVIRONMENT

lack of adequacy both in terms of skills and composition of company workforce

 economic/ financial reputational employees
  • Policies, processes and procedures (remuneration and incentive policies)
  • People and organisation (dedicated structures and training)
  • Performance evaluation system
  • Monitoring and periodic reporting

SUSTAINABILITY IN INFRASTRUCTURE DESIGN, CONSTRUCTION AND MANAGEMENT

environmental and social impacts from inadequate and failed design, construction and/ or management of plants/ networks (*)

 economic/ financial reputational

natural environment, communities/citizens, new generations, inhabitants
served by the water service, Areti users, Acea Energia customers, shareholders and investors, suppliers/production chain, innovation and research ecosystem/business partners/ scientific community/ membership bodies, institutions
  • Policies, processes and procedures (application of sector best practice)
  • Monitoring and periodic reporting

  • People and organisation (training and skill

    consolidation)

  • Implementation of specific applications
  • Maintenance plans

CUSTOMER FOCUS

failure to reach service quality levels;
diculty in meeting customer expectations (*)

 economic/ financial reputational

communities/citizens, inhabitants served by the water service, Areti customers, Acea Energia customers
  • Policies, processes and procedures
  • Dedicated organisational structure

  • Periodic reporting (analysis of customers and services)

  • Regulatory framework and reference legislation

    monitoring

  • Investment in customer care software

SUSTAINABILITY AND CIRCULARITY ALONG THE SUPPLY CHAIN

failure to audit the procurement process; failure of suppliers to comply with

the requirements (health and safety, environmental, anti-corruption)

 economic/ financial reputational

suppliers/production chain, ecosystem innovation and research/business partners/ scientific communities/ membership bodies
  • Policies, processes and procedures
  • Quality monitoring of goods/services received
  • Qualified suppliers register
  • Specialist benchmark studies and analyses

COMPANY WELL-BEING, DIVERSITY AND INCLUSION

increased absenteeism rate; negative company climate;

possible lawsuits from employees

 reputational

employees
  • Policies, processes and procedures
  • People and organisation
  • Training and communication plans

  • Corporate welfare initiatives (e.g. flexible benefits, health check-ups)

GOVERNANCE FOR SUSTAINABLE SUCCESS

non-compliance with Legislative Decree
no. 254/2016; inadequacy of the internal regulatory system with respect to the guidelines of the Corporate Governance Code

 reputational

Shareholders and investors, employees, institutions
  • Policies, processes and procedures (updating and verification of information systems and the organisation)
  • Board committees (Ethics and Sustainability, Control and Risks)
  • Certification of data managers and reporting assurance by the auditor
  • Monitoring and periodic reporting

- ECONOMIC GOVERNANCE TOPICS - SOCIAL TOPICS - ENVIRONMENTAL TOPICS

Note: the complete list of stakeholders includes: natural environment, communities/citizens, new generations, inhabitants served by the companies of the Water area within the NFS reporting boundary, Areti users (energy distribution), Acea Energia customers (protected market, free market, gas), shareholders and investors, employees (companies in the NFS reporting boundary), suppliers/production chain, innovation and research ecosystem/business partners/scientific community/membership bodies, and institutions.
(*) Risks marked with an asterisk correspond to the main emerging risks that may have a significant impact on the Acea Group.

The Global Risks Report 2024, a World Economic Forum document published in January 2024, confirms that over the next ten years, attention will remain on climate risks, broken down into specific impact scenarios. The top four risks are considered to be: extreme weather events, critical changes to earth systems, biodiversity loss and ecosystem collapse, natural resource scarcity.
Acea is attentive to the monitoring of climate issues and its initiatives, such as the progressive implementation of the analysis of climate-related risk factors, in line with the recommendations of the Task Force on Climate-related Financial Disclosures, have resulted in an improvement in its ranking in the CDP assessment (formerly the Carbon Disclosure Project), moving from B to A-. For more details, see in the The relationship with the environment, the paragraph entitled Risks: Insights and Disclosure.
The response to the CDP Questionnaire includes an assessment of risks and opportunities related to activities, over the the short, medium and long term. Table 16 shows the main findings.

Table no. 16 – Risks and opportunities related to climate change: CDP evidence

RISKS

      

Risk type

Type details and risk description

Most impacted business areas

Time frame

TRANSITION

Risks arising from the ongoing transition to a decarbonised economic system (e.g. regulatory, technological, market)

Legislative/Regulatory

These risks may manifest in the following ways: higher carbon tax policies and white certificates; changes to incentive schemes; tightening of the values linked to the Emission Trading Scheme (both in terms of emissions allowed and the cost of actual emission allowances); regulatory developments that require the reduction of impacts in the conduct of business operations

Energy production (thermoelectric and waste-to-energy) Electricity grid management Water management

short-medium- long

Technology

Technological evolution may impose the reconversion of the design of processes in order to make them less polluting (for example replacing existing plants or parts thereof with other low-emission technologies)

Energy production (thermoelectric and waste-to-energy) Electricity grid management Water management

medium

Legal

These include risks related to the worsening of legal and economic sanctions for failure to comply with technical quality and performance standards in the electricity and water services (fines and incremental compliance costs)

Electricity grid management Water management

medium-long

Market

Commercial risks are attributable to the failure to adapt the products/ services of the Group companies to the new requirements of customers, who are more aware of the topics of sustainability, or to the increase in poverty, also caused by climate change, which changes the habits of consumers/customers

All businesses and Commercial in particular

medium-long

Reputational

Reputation risk derives from a negative perception of the company’s image by its stakeholders as a result of negative events/conditions associated with climate change (e.g. interruption in services caused by the scarcity of water or by extreme weather events)

The Acea Group

short/ medium term

PHYSICAL

Risks arising from the physical effects of climatic events (acute if related to episodic phenomena, or chronic if related to long-term changes)

Acute

Extreme weather events such as heavy rainfall and cloudbursts place stress on the resilience of the electricity grid (interruption to power supply) but also create diffculties in the normal management of overabundance of water in the water service: cloudbursts can also cause

a temporary service disruption in wastewater treatment plants or the entire sewerage network service. Heat waves cause peaks in demand for energy/water on the electricity distribution grid/water network.

Electricity grid management Water management Energy production

short-medium- long

Chronic

The reduction in rainfall can have a negative impact on the electricity distribution service, the production of electricity by the hydroelectric plants and the availability of water for human consumption, thus causing an increase in energy consumption for the withdrawal of water.

The risk of more frequent lightning strikes can cause interruptions to the distribution of electricity and thus economic damage. Temperature changes can cause variations in the composition of incoming waste (decomposition) in waste-to-energy plants, even changing the technological/operating needs associated with variations in emissions and the necessary processing. Incentives are also linked to the biodegradable quantity of the waste.

Electricity grid management
Water management Energy production Environment Segment

short-medium- long

OPPORTUNITIES

Drivers

Type details and opportunity description

Industrial areas affected

Time frame

Circular economy

Promotion of circular economy models and waste recovery projects, for example with waste-to-energy processes combined with material recovery (for example: bottom and fly ash recovery)

Environment Segment

medium

Development of photovoltaic plants

Diversification of production facilities with the acquisition and/or construction of photovoltaic plants that, in addition to receiving incentives for the feeding of electricity produced into the grid, allow balancing any reductions in hydroelectric production.

Production of electricity; technological innovation

medium

Increase in network resilience

Investments to improve the resilience of the electricity grid promoted by ARERA.

Distribution of electricity

medium

Market and services

Opportunities arising from the change in energy demand related to changes in peak ambient temperatures and the increase of the average temperature, with an impact on price growth and volumes sold

Energy sales

short/ medium term

Moreover, in 2023, following the second year of the initiative aimed at identifying, selecting and analysing the most relevant climate risks for the main Group companies, the Acea Group 2022 Climate Disclosure59 was published according to the recommendations of the Task Force on Climate-related Financial Disclosures (TCFD). In this context, the continuous improvement effort for developing awareness on the subject continued, with an increase in the number of water companies involved and the range of risks investigated (physical and/or transition), and with improved reporting practices. For more details see the Box – Climate reporting according to the TCFD approach in The Relationship with the Environment.

Lastly, in relation to the management of operational risks in case of emergency and the preventive and operational initiatives defined by the Group companies, refer to the chapter Institutions and the Company (paragraph Plans for emergency management).

ANALYSIS OF POTENTIAL ENVIRONMENTAL RISKS

The companies operating in the water, energy infrastructure and generation and the environment business areas that have ISO 14001:2015 certified environmental management systems identify the potential negative environmental impacts generated by the activities in relation to specific events or operations.
For the water sector, the main risks concern: acute or chronic climatic phenomena or seismic events, which could cause structural failure or malfunctions of plants and network systems managed, causing water shortages for users or accidental spillage of pollutants; inefficient operational management of water, which could cause high levels of losses with consequent excessive consumption; water stress; possible breach of water control parameters with environmental consequences; inadequate interventions on the sewage treatment system with possible contamination of the soil and water bodies; risks of fires and explosions in treatment plants related to the production of biogas, with possible impacts in terms of emissions into the atmosphere.
In the context of energy networks, the main risks are attributable to the existence of overhead and underground systems with impacts in terms of land use and subsoil, the generation of waste and impacts on ecosystems, the generation of electromagnetic fields with impacts in terms of exposure, the maintenance of transformation plants with potential soil and subsoil contamination with hazardous materials, and the maintenance and construction of plants with impacts in terms of production of special waste.
For the electricity generation activities, carried out with renewable and conventional power plants, the potential environmental risks attributable to the ordinary management of the plants or in the event of critical events like fires or explosions may lead to the accidental spillage of pollutants or the exceeding of threshold values in emissions (into the atmosphere, surface water and sewerage). An example of environmental risk derives from the potential dangerousness of structural failure of hydraulic works attributable to critical natural phenomena (such as earthquakes of particular intensity and/or millennial floods), which could affect the territory downstream of the plants (e.g. floods).
The environment sector involves the treatment, recovery and disposal of waste, the recovery of materials and energy (waste-to-energy and composting) and the collection, transport, recovery and disposal of non-hazardous waste produced by waste treatment plants. In this context, potential risks for the environment could take the form of spills of hazardous substances and consequent contamination of the soil and aquifers or surface waters, or of emissions into the atmosphere or water above specific prescribed limits, the treatment of waste not compliant with the reference legislation with repercussions on plant operations, unintentional fires that may cause interruptions to plant operations and pollution of the surrounding areas, as well as the failure to make investments or carry out works on the plants, with impact on the company’s management due to delays in the issue of authorisations; finally, environmental exposure can be caused by noise, odoour and dust produced during extraordinary maintenance of the plants.

58 Gori and ADFare excluded with their own reporting systems; please refer to the sustainability reports prepared by the companies for further information.
59 The document is available online at the website www.gruppo.acea.it.