Operational risks

The nature of its business exposes the Acea Group to risks of non-compliance with domestic and EU consumer protection regulations, that is the risk mainly linked to the commission of unlawful or improper consumer/business practices or the issuing of misleading advertising, as well as the risk of non-compliance with domestic or EU competition regulations, that is the risk mainly linked to the prohibition for companies to implement agreements to reduce competition or abuse their dominant market position.

Acea adopted a specific Antitrust Compliance Programme and appointed a Holding Antitrust Officer. The main objective of the programme is to strengthen internal controls aimed at preventing the violation of regulations through the implementation of regulatory and organisational instruments, as well as through a more widespread dissemination of the culture of respect for the principles of fair competition and consumer rights. The main Group companies adopted the Antitrust Compliance Programme in line with the indications of the Holding Company, and set up organisational structures in which Company Antitrust Officers were appointed, given the task of managing the activities to adapt the Programme to the individual companies and supervise its implementation and maintenance.

Regulatory risks also include all non-conformities, with particular regard to the environmental impact of Acea Group (generated for example by the activities of production and / or treatment of urban waste and waste, and of health and safety at work, mitigated through the adoption of certified management systems, respectively UNI EN ISO 14001: 2015 and ISO 45001:2018), which may result in the application of administrative and / or criminal penalties, including those of a disqualifying nature.

Following the introduction of some crimes that expand the catalogue of predicate offences capable of triggering the responsibility of the Bodies pursuant to Italian Legislative Decree 231/2001, the Acea Group has started the progressive updating of the companies’ respective organisational models, starting with that of Acea SpA. In addition, preparations have begun for updating the Model for the law converting Italian Law Decree no. 124/2019 of 17 December 2019 that came into force on 25 December 2019, which introduced some tax crimes among the predicate offences pursuant to Italian Legislative Decree 231/01, and Italian Legislative Decree 75 of 14 July 2020 transposing the “PIF Directive”.

As part of the general Group Whistleblowing Procedure aimed at regulating the system with which anyone can make voluntary and discreet whistleblowing reports, guaranteeing the confidentiality of the identity of the whistleblower and thus protecting him/her from any retaliation, the rules governing Whistleblowing relating to unlawful conduct have been updated, also pursuant to Italian Legislative Decree 231/01 and/or violations of the 231 Model, expanding the possible channels of communication to include a specific IT platform, accessible by everyone (employees, third parties, etc.) on the website of each Group Company, and by employees of the Italian Companies of the Group having access to the company’s Intranet.

It should be noted that some consolidated companies (Areti, Acea Ato2, Acea Infrastructure and Acea Ambiente), as more fully illustrated in the related financial statements, are subject to investigations or proceedings that relate to significant cases pursuant to Italian Legislative Decree no. 231/01 concerning safety and/or the environment. There are also complaints for corporate offences relating only to Acea Ato5, related to investigations and proceedings for significant cases pursuant to Italian Legislative Decree 231/01 concerning the environment and corporate crimes. In particular, with regard to corporate offences, case 2031/16 relates to financial years 2015, 2016 and 2017 and alleges that the crimes of accounting fraud and filing fraudulent financial statements were committed by the Chairpersons of the Company and the representatives of the supervisory body of this company. During 2020, notification was received that the preliminary investigations had been completed, pursuant to art. 415 bis.

On the basis of the information currently available, taking into account the operational autonomy of the companies with respect to the parent company Acea, any responsibilities that may be ascertained upon the final outcome of the aforementioned proceedings are exclusively attributable to the companies themselves, without any repercussions on the Parent Company or other companies of the Group that are not involved.

Finally, other additional regulatory risks that may potentially be of particular relevance for the Acea Group include those arising from the Privacy Regulation (EU) 2016/679 GDPR.

The Acea Group’s compliance programme has made it possible to define and implement a Privacy Governance Model that is valid for the Group, taking the Parent Company as a privileged area of observation in its role as the linchpin of the system and supplier of services and/or centralised activities, looking at the Companies with a logic of priority at the core processes of each business area. The online training programme offered using an e-learning platform has been extended to Companies to provide a first layer of compliance with the obligation for Data Controllers to instruct data processing personnel, providing them with training on individual corporate processes as well as a particular focus on cross-cutting procedures (HR, Legal, etc.).

Corporate working groups have been set up to customise the Group Model in the individual companies, with effects on the implementation and/or fine-tuning of processes having a high impact on privacy, and initiatives have also been carried out to test compliance solutions already adopted.

With reference to the Commercial segment, the companies of the segment, in carrying out their sales activities on the electricity and gas free market, are fully exposed to the risk deriving from competition. In particular, there is the risk connected with potential economic and financial damage due to the progressive concentration of the electricity and gas market, i.e. the reduction in the number of competitors and the increase in their respective market shares, which would penalise the positioning of sales companies on the market, in the event of failure to align with the growth trend of the main competitors. This in particular in the case that a reduction in the prices of the reference commodity occurred, which could lead to exposure for a significant portion of the customer base to aggressive policies from the main competitors. Companies in this segment are also exposed to the risk of potential economic/financial impacts due to partial efficacy of commercial initiatives, intended to strengthen and increase the customer base and the margins of the companies.

Furthermore, with reference to commodities, there is the risk connected with potential economic and financial damage due to the impact of changes in the macroeconomic context, including geopolitical changes which would lead, in the first case, to a reduction in the consumption of commodities by business customers and, in the second case, to phenomena of extreme volatility in commodity prices, with negative consequences on trade dynamics.

Relative to the Greater Protection electricity service, which as of July 2024 will see the Company as the sole supplier for vulnerable customers, note the risk associated with changes in the reference regulations, which could have a significant impact on the growth of the customer base.

This situation carries the risk of Acea Energia being penalised due to: (i) the inability to perform and commercial activity with regard to greater protection service customers in the vulnerable category; (ii) dependence on tariffs regulated by revenues and margins of the greater protection service; (iii) exposure of a significant portion of its customer base to the impacts of policies that will be adopted with a view to moving away from the greater protection service for vulnerable customers.

In the context of Acea Energia’s operating activities which, as a commercial company, are the single point of contact for end customers, both for the electricity and gas free market and for the Electricity Service for the standard-offer market, there is risk linked to the possibility of inadequate levels of performance on the part of Distributors, with consequent impacts on the sales company.

The Segment Companies also have typical business risks deriving from an efficient and effective management of billing and credit collection procedures, where it is affected by the sub-optimal performance of electricity and gas distributors.

Information about commodity price risk and the control tools adopted is provided in the financial risks section.

Areti, making use also of the support and assistance of the Acea SpA Risk Management, Compliance & Sustainability Unit in managing the process and of the instruments of the Enterprise Risk Management system implemented in the corporate Group, carries out periodically and in a structured way an activity of identifying and assessing the main risks that can have a significant impact on the achievement of the business objectives deriving from the strategic, industrial, financial and sustainability plans. 

During the year, a risk scenario was identified associated with the concrete appearance of cyber threats, exposing the Company’s OT systems to compromised availability, integrity and confidentiality for data with reference to Industrial Control Systems (ICS), with potential damage in terms of business interruptions (due to alteration/unavailability of technical or administrative processes), data/infrastructure impairment (alteration of logical or physical infrastructure) and breaches in terms of regulatory compliance (e.g. the General Data Protection Regulation (GDPR), Network and Information Security (NIS) and the national cybernetic security perimeter).

The company has already adopted preventive measures and will implement further projects in line with the best available technology and in compliance with current legal provisions.

The main operational risks associated with the segment’s business may relate to property damage (damage to assets, adequacy of suppliers, negligence), personal injury and damage arising from information systems and external events.

The Company, in order to cope with any operational risks, has taken steps, since the start of its activity, to sign policies with leading insurance institutions for property damage, third party liability and employee accidents.

The Company pays particular attention to the training of its employees, through in-person, virtual and on-line training courses, in order to make field operators and all corporate management responsible for working safely, respecting the environment and ecosystems, with ethical appropriateness and with a view to eco-sustainability, as well as to ensure compliance with regulations associated with Legislative Decree 231/01 as amended - Antitrust and Consumer Protection – Privacy (GDPR).

The Company also develops and defines internal organisational procedures aimed at describing the activities and business processes of production sites/operating units where it specifies the matrix of responsibility and the context and the applicable legislation of reference; In addition, it draws up its own operating instructions for the field, which show how recurring maintenance work is to be carried out, relating the technical operating specifications to the safety guidelines to be used in operations.

The above is also realised through the implementation of an Integrated Quality, Environment and Safety Management System (hereinafter SYSTEM or SGI), adopted by the Company pursuant to ISO 9001:2015, ISO 45001:2015 and ISO 45001:2018, certified by an accredited external control body, respectively no. 44357/23/S - EMS-5491/S - OHS-2406.

SYSTEM is intended to be a tool to:

• protect health and safety in the workplace and throughout the supply chain;
• protect the environment and biodiversity in ecosystems of interest;
• promote rational and knowledgeable use of energy sources and raw materials;
• promote a culture of quality and energy savings;
• achieve customer satisfaction;
• ensure continuous and proactive dialogue with other interested parties.

All the above is specifically detailed in the SYSTEM policy, as declared, adopted and published by the companies in the Segment.

The Terni and San Vittore del Lazio plants were involved in optimisation and revamping projects that present the risks typically related to the construction of complex industrial infrastructure (e.g. any construction and performance defects).

The Orvieto plants, and more recently Aprilia and Monterotondo, have completed major upgrading of their recovery processes for composting purposes, while the Sabaudia and Chiusi plants are undergoing major expansion and upgrading work that is currently being authorised (Sabaudia) or has just been authorised (Chiusi).

With regard to the management phase, the possible discontinuity of the waste-to-energy activities carried out in the Terni and San Vittore del Lazio plants and the waste treatment activities carried out by the other plants, if connected to the production of electricity under incentive programmes and the provision of public services, could have significant negative repercussions. This, both from an economic point of view and with respect to responsibility towards public and private suppliers. In this context, therefore, where not planned, a plant shutdown creates a concrete risk of failure to achieve the objectives of the industrial activity.

The waste-to-energy plants, as well as waste treatment plants to a lesser extent, are characterised by a high level of technical complexity, which requires the management of qualified resources and organisational structures with a high level of know-how. Therefore, there are specific risks with regard to the continuity of technical performance of the plants, as well as connected to the possible exodus of professional skills (not easily available on the market) having specific managerial skills in this area.

These risks have been mitigated by implementing specific maintenance and management programmes and protocols, drawn up partly on the basis of the experience acquired in plant management.

Moreover, the plants and the related activities are designed to handle certain types of waste. The failure of incoming material to meet the necessary specifications could lead to concrete operational problems, sufficient to compromise the operational continuity of the plants and give rise to risks of a legal nature.

For this reason, specific procedures have been adopted for monitoring and controlling incoming materials via spot checks and the analysis of samples pursuant to legislation in force.

For years now Acea has followed a development path focused on the use of new technologies as a driving force for the operational efficiency, safety and resilience of its industrial assets. The main business processes are now all supported by the use of advanced information systems, implemented and managed by the Group’s centralised departments to support the operations of the various companies. In this sense, the Group is therefore exposed to the risks of the adequacy of the IT infrastructure to the current or future needs of the various businesses, as well as to the risks of unauthorised access to the data processed using IT procedures, with or without intent, and in any case inappropriate or not in compliance with current regulations. Acea manages these risks with the utmost attention through specific corporate compliance structures coordinated by specialised Group safeguards.

As far as cyber security of systems, infrastructure, networks and other electronic devices is concerned within the scope of the services provided or the respective Group Companies, the current procedural and technological safeguards of the Companies themselves are implementing all the necessary actions to align their cyber security posture with the main national and international industry standards in order to increase their resilience to risks of this nature, possible repercussions in terms of business interruption and regulatory non-compliance. Technological and organisational measures have been implemented with the aim of:

• managing the threats to the organisation’s network infrastructure and information systems in order to ensure a level of security appropriate to the existing risk;
• Preventing accidents and minimising their impact on the security of the network and information systems used to provide services, so as to ensure their continuity.

To that end, note that on 2 February 2023 Acea was the victim of a Ransomware hacker attack, which affected all Corporate IT services. Essential services (including electricity and water distribution) were not impacted; with reference to work stations, only a few units were compromised, thanks to the anti-malware technology installed. Concurrent with analysis, existing security measures were strengthened and recovery was begun, including restoration of full backups, which led to a gradual recovery of functioning for all systems/services. The event involved the compromising of the company’s non-structured data repository with an impact on availability. Together with internal analysis, an investigation by the Public Prosecutor of Rome was launched and is still under way, utilising the bodies of the CNAIPIC Postal Police - PG to analyse the incident. The incident was also followed by the online publication of company folders and files illicitly extracted during the attack. Given that personal data was also contained in these, the company’s Data Breach procedure was activated, with notification of the Personal Data Protection Authority (GPDP). Acea promptly implemented all the procedures necessary to comply with the Privacy regulations. In particular, the GPDP received a preliminary notification by the deadline of 72 hours after the event was identified. Subsequently, two supplementary notifications were sent, followed by a third on 21 April, completing the notification process and providing evidence of the results of the analysis carried out.

Following the conclusion of the notification process, the GPDP sent a request for information which Acea responded to by the deadline, and subsequently began an audit, mainly consisting of requests for information and documents inherent to the notifications made. This audit was begun on a day in early May, at the end of which the GPDP indicated that an additional day would be necessary, which occurred in July. At the end of this second day, the GPDP set a deadline of 31/07 to provide the additional documentation requested, which was not available at the time as it was being finalised. This documentation was supplied by the date indicated above.

From that point, no additional requests for information or clarifications have been received from the GPDP, although it has the power to request them, nor has it issued any provisions.

That being established, remember that still today the Authority has the right to obtain further information through requests and investigatory actions. It should be noted that at present it is not possible to predict, on the basis of currently available information, whether the Authority will apply any sort of penalty, nor the relative amount, that being represented in the communication made through Acea’s request remaining still valid today, submitted through a third party and annexed to the present letter, also taking into consideration that the regulatory process for notifying the Authority was followed. The event did not require any adjustments to the data and information utilised in the preparation of the Acea Group’s Consolidated Financial Statements for 2023.