Business interruption risks
The global scale of Group operations exposes it to a plethora of risks that might cause an interruption in business activities for an indefinite period of time, consequently impacting its operating capacity and financial results.
Risks associated with natural or accidental events (fire, flood, earthquake, etc.), malicious acts (vandalism, sabotage, etc.), malfunctions in auxiliary plants or interruption of utilities may cause serious property damage and production losses, with a particular impact on production sites that have high volumes or specific (high-end) products.
In 2010, business interruption scenarios were assessed and measured (in terms of their impact, likelihood of occurrence and existing risk management system) for five production sites of material interest to Group strategies. In 2011 this analysis continued at another seven production sites. These analyses have confirmed that adequate protections against business interruption risk have been implemented, with a detailed series of safety measures and prevention systems.
Risks associated with information systems and network infrastructure
Group operating activities rely increasingly on the proper, uninterrupted functioning of information systems and network infrastructure in support of business processes. Human error, access by unauthorised persons, vulnerable security systems, and/or system and network infrastructure breakdowns or malfunctions might negatively impact the performance of operating activities, cause the disclosure of critical, confidential corporate information, with consequent repercussions on the Group’s corporate image and the risk of statutory and regulatory violations.
In 2010 the Group finished mapping the principal risks connected with the 10 most important information systems supporting core processes (production, purchasing, sales, and logistics). The risk was analysed on the basis of its impact on the Group if confidentiality were breached and according to the likelihood that the event occur in connection with the vulnerabilities existing in the system.
Specific measures for further upgrades to physical, logical and infrastructure safety measures were implemented for the principal “vulnerabilities.” Their implementation was constantly monitored in 2011 by the Managerial Risk Committee.
Implementation of the risk mitigation measures will be completed in 2012, and mapping of the risks facing other information systems (finance, human resources, etc.) will be undertaken.