Enterprise risk management process

Enterprise risk management process

The Snam group has instituted, under the direct supervision of the General Counsel, the Enterprise Risk Management (ERM) unit which performs a fundamental function in the context of integrated corporate risk management for all Group companies. The main objective of the ERM model, which works in line with the recommendations of the CoSO framework and the new 2020 Corporate Governance Code, as well as international best practices, is to identify risks using standardised, group-wide policies, so as to identify priority events and ensure their consolidation and reporting.

The risk is defined as an effect of the uncertainty on the targets of the Strategic Plan and can be negative or positive in scope. The results of the risk and opportunity assessment and monitoring activities and the related mitigation measures are presented regularly to the Control, Risk and Related-Party Transactions Committee, the Board of Statutory Auditors, the Supervisory Body and the Board of Directors of Snam. In this context, the ERM unit also carries out awareness-raising and training activities for executive and non-executive directors with regard to the applied risk management methodologies and the evolution of Snam’s ERM model.

The results are also shared with: the Internal Audit department, which uses them when preparing audit plans; the Strategic Planning department, which assesses coherence with the risk assessments and analyses of the Strategic Plan; the Sustainability department, to support planning activities and to define strategies for managing ESG themes that are relevant to the Group.

Snam’s dedicated ERM department manages and oversees the following main activities:

  • Risk identification;
  • Risk measurement & treatment;
  • Monitoring;
  • Reporting;
  • Maintenance of the model.


risk events related to business processes and external risk factors that could affect the achievement of company targets by Staff and Business Managers, responsible for the implementation of initiatives aimed at the effective oversight of risks, and specific analyses of the operational processes of every Company and of the corporate Strategic Plan. The events are periodically reviewed, also in the light of the growing significance of new business development areas, in order to ensure correct oversight of risks and opportunities related to them.

Measurement & treatment

Assessment and prioritisation of each event in terms of probability of occurrence and impact, negative (risks) or positive (opportunities). The probability is determined on the basis of a scale from 1 (remote) to 4 (highly probable); the impact, measured on a scale from 1 (low) to 4 (significant), is assessed according to qualitative (industrial/business, asset, reputational, legal, market, health and safety and environment) or quantitative (economic, financial) dimensions. The prioritisation of the risks, a combination of the assessment of probability and impact expressed by risk owners (first reports of the CEO) and risk specialists, is represented on 4 levels (low, medium, high and critical, for risks; light, moderate, good and excellent, for opportunities). Furthermore, the event management strategy (monitoring and management, mitigation, transfer) is defined and the actions or specific interventions are identified.


on the evolution of the single risks and opportunities (and/or of the entire risk register) on the basis of the stage of progress of the management interventions/actions associated with the risks/opportunities and the trend of the risk indicators.


Periodic reporting on the results of the risk identification, assessment and monitoring activities. The purpose of periodic reporting is to report to the company’s Top Management, the Control bodies and any other significant stakeholders the information collected in the previous stages, namely: main risks to which the Company is exposed, measures identified, monitoring indicators, changes that may impact the business in the future, main opportunities.

Maintenance of the model

The ERM model is maintained continuously and independently of the phases of the process, with the aim of constantly ensuring an effective model that reflects the technological and methodological progress made in the field of risk management.

Risks identified via the ERM process are classified as financial, operational, legal and non-compliance, and strategic, including risks related to ESG issues that these may contain. At the end of 2020, approximately 141 enterprise risks were mapped, 31 of them distributed across all corporate processes.

In order to promote an effective risk culture throughout the company, Snam organizes designated internal trainings on risk management issues.

The wide-ranging nature of its impact measurement is a distinctive feature of Snam’s ERM model. Indeed, every event is assessed in relation to eight types of impact, some of which are determined by risk owners (operational impacts: Economic, Industrial/Business, Asset), others by specialist departments (impacts: Financial, Legal/Compliance/Governance, Reputational, HS/Environment, Market).

With particular reference to the specialised impact in terms of health, safety and the environment (HSE), the HS component makes possible to evaluate all risks and opportunities identified on the basis of the possible consequences on the health and safety of people (possible accidents, injuries or serious events for risks and improvement of conditions and workplaces for opportunities). Finally, all risks and opportunities, including those mapped and/or with impacts in the health and safety area, are subject to periodic reporting by the ERM function to the Corporate Bodies and top management.

Page Alert
26 July 2022 - 17:25 CEST