In July 2009, the Board of Directors examined and approved a new model to monitor and manage the risks which are liable to prejudice the achievement of Pirelli's strategic objectives, also in line with international best practices and with the suggestions which emerged from the self-evaluation process referred to the 2008 financial year1.
1This approach is based on the COSO Enterprise Risk Management.
The Board deemed it appropriate to adopt a structured risk management process that, on the one hand, enables the risks to be identified promptly and completely, and on the other hand, permits the adoption of adequate measures to “manage” the risks in terms of anticipating the risks and pro-active measures, rather than simply taking reactive measures, considering the accelerating pace of economic changes, the complexity of management activities and the recent changes in laws and regulations relating to corporate governance and internal control.
It is important to observe that the Board of Directors plays a central role with reference to the “governance” of the new model. Indeed, the Board is responsible for supervising the risk management process so that the risks assumed in the business are consistent with the strategies (so-called monitoring action). Furthermore, the Board defines the attitude to risk (so-called identification of the “acceptable risk threshold”) and establishes the guidelines to manage the risks which may “interfere with” or prejudice achieving the business objectives or erode critical corporate assets, in line with its top management and strategic policy-making mission.
In view of the above, the Board redefined the responsibilities and composition of the Committee for Internal Control and Corporate Governance in 2009, and the Committee was renamed as follows: “Committee for Internal Control, Risks and Corporate Governance” and the Committee’s composition was extended to 5 Board Members.
In particular, the Committee for Internal Control, Risks and Corporate Governance supports the Board (i) in the periodic identification and assessment of the principal risks relating to the Company and its subsidiaries, at least once a year, to ensure these risks are monitored correctly (Annual Risk Assessment) (ii) in defining the mitigation plans, and in general, the "risk governance" and updating them periodically, at least once a year (Annual Risk Management Plan) in order to maintain the overall levels of exposure to risk within the risk threshold assessed by the Board of Directors as being "acceptable" (risk appetite), based on the proposal made by the Committee concerned). The Risk Model was reviewed during 2012, more than two years after the integrated risk governance model was introduced, and three risk macro families were considered which guide the risk management objectives, the control model and the governance bodies, as outlined below:
- Risks associated with the external environment in which the Company operates, the occurrence of which is outside the Company's control. This category includes the risk areas related to the macroeconomic trends, the development of demand, the strategies adopted by competitors, technological innovations, the introduction of new legislation and the risks associated with the country (economic, safety, political and environmental). The risk management objective is to monitor the risk and mitigate the impact in the event the risk occurs. The control model is based on the adoption of internal/external tools to identify and monitor the risks, stress tests to assess the robustness of the plans, the construction of alternative scenarios to the "base" scenarios, business cases to assess the impact of significant changes to the environment conditions, etc.
- Strategic Risks, namely, risks characteristic of the reference business, the correct management of which is a source of competitive edge, or otherwise, the cause of failing to achieve planned targets (three-year and annual). This category includes the risk areas associated with the market, product and process innovation, price volatility of raw materials, production processes, financial organisational risks and risks associated with M&A operations. The risk management objective is to manage the risk using specific tools and safeguards designed to reduce the probability or to limit the impact if the risk occurs with a view to achieving the best risk-performance scenario.
The control model is based on identifying and measuring the PBIT/Cash Flow@Risk when preparing the strategic/management plans, defining the risk appetite and the risk tolerance for the main risk events, introducing Key Risk Indicators in Group reporting, monitoring the mitigation plan in relation to significant risk events in the absence of specific business safeguards which are already operational.
- Operating Risks, namely, risks generated by the organisational structure, by the processes and by the Group systems, where assuming these risks does not produce any competitive edge. The main risk areas in this category refer to Information Technology, Security, Business Interruption, Legal & Compliance, Health, Safety & Environment risks.
The risk management objective is to achieve management via the prevention and internal control systems integrated in the business processes.
The control model is based on the development of ad hoc methods to measure the risk, define mitigation and prevention plans and the continuous monitoring of their implementation.
The Board of Directors is supported by two Risk Management Committees in relation to the various risk macro families, each Management Committee has specific areas of responsibility.
The Strategic Risks Committee (is chaired by the General Counsel) and is composed of: the Chief Operating Officer, the Chief Technical Officer; the Administration and Finance Manager; the Planning and Control Manager; the Director of Purchasing; the Industrial and Motorcycle Business Unit Managers, the Investor Relations Manager, the Human Resources and Organisation Manager, Supply Chain, Operations, Senior Advisor Human Resources, Senior Advisor Strategies, Sustainability and Risk Governance Manager) with expertise and responsibility for the risks related to the strategic business choices, or due to the external environment in which the Group operates.
The Operating Risks Committee (is chaired by the General Counsel and is composed of: the Chief Technical Officer, the Internal Audit Manager, the Legal and Corporate Affairs Manager, the Information & Communication Technology Manager, Supply Chain, Operations, Financial and Business Continuity Risk Management, the Director of Purchasing, Security, Industrial Relations, Health and Safety & Environment, the Sustainability and Risk Governance Manager) and focuses on preventing and managing the risks specifically related to the organisational structure, the processes and Group's systems.
The two Risk Management Committees have the following responsibilities (i) to adopt and promote a systematic and structured process to identify and measure the risks; (ii) to examine the information concerning internal and external, existing and future risks to which the Group is exposed; (iii) to propose strategies to respond to the risk in relation to the overall and detailed exposure to the various categories of risks; (iv) to propose the implementation of a risk policy in order to guarantee that the risk is reduced to "acceptable" levels; (v) to monitor the implementation of the strategies adopted in response to the risk defined and compliance with the risk policies adopted.
The Management Committees avail of the Sustainability and Risk Governance Department (managed by Filippo Bettini) that includes the Risk Officer (Ms. Alessia Carnevale) who coordinates the assessment process and guarantees the on-going monitoring of the Company's and the Group's exposure to the principal risks, while monitoring the effective implementation of the mitigation plans in the individual company departments and organisational units.
Enterprise Risk Management is a top - down process, led by Senior Management and Board, which is responsible for defining and approving strategic objectives and risks.
Give strong committment and
defines mission and objectives
Adopts the methodology for identification and frisk measurement. Select main risk areas related to Group Key Value Driver.
Coordinates the assessment process
Identify risk events related to main risk areas
Analyze and evaluate risk events and risk management
system already in place.
Propose mitigation plans
Analyze and propose
risk mitigation action
Guarantees ongoing monitoring of the Group's risk exposure and implementation of risk mitigation plans
Analyses main risks, approves risk
management strategy and mitigation
plans (Annual Risk Management Plan
implementation of risk policies
risk exposure and
relevant risk strategy;
Monitor risk mitigation
Risk management Committee
Staff/business Unit functions
(*) Committee for Internal Audit, Risks and Corporate Governance
(**) Operating Units