Risk management is essential for the realisation of our strategic ambitions. We identify and mitigate the risks that may impede the achievement of our goals.
For this reason, risk management is an important element in our business operations. Eneco’s risk policy encompasses careful assessment of the risks that Eneco runs and specification of mitigating measures and describes how we ensure the effectiveness of these measures.
The Board of Management is responsible for risk management at the level of the organisation as a whole. Risk management is structured according to the ‘three lines of defense’-model. The Board of Management has delegated its responsibility for risk management primarily to the directors of the business units ('first line'), who are supported in this matter by functions such as business control, the safety organisation and compliance ('second line'). The Group Risk Management department is responsible for the coordination of the risk management process. The Internal Audit department (‘third line’) carries out audits and reports the results to the Board of Management and the Audit Committee of the Supervisory Board.
Risk and performance management framework
- Eneco Group’s Strategic Framework specifies the boundaries within which all the business activities aimed at realising the mission of the company are carried out and forms the basis for the specification of the strategic KPIs.
- Financial-strategic forecasts help the Board of Management to weigh strategic and financial goals and risks.
- The possible impact of significant risks on the risk categories Financial, Reputation, Integrity and Safety is assessed. With respect to financial matters, we use the financial framework to manage the main financial restrictions on the strategy. These restrictions include minimum requirements for the ratios for solvency and cash flow in relation to net debt, using a credit rating of around A- (Standard and Poor's) as the guideline. Sensitivity analyses, including single event stress tests and scenario analyses, are used for this purpose.
- Risk control systems that have been specified for each level encompass specific mitigating measures. The ‘Risk Heat Chart’ is used for internal communication with respect to risks.
Controlling risks with the ECRS
COSO-ERM, the worldwide standard for Enterprise Risk Management, forms the basis for Eneco’s internal risk management and control system, which goes by the name Eneco Control & Risk System (ECRS). The first version of the ECRS was introduced in 2005. Each year, the ECRS is adapted to keep up with the latest developments with respect to risks, business developments and external influences. The ECRS includes a risk assessment method, a set of control measures and a method that management can use to determine the effectiveness of the control measures (see In Control statement). The Internal Audit department carries out audits with respect to the quality of risk analyses and self-assessments.
Risk management in 2015
- In 2015, a number of departments with activities in the area of risk management were grouped together to form the new Group Risk Management department. The aim of this department is to, in time, apply a comprehensive approach to information and activities relating to all aspects of risk control for all the business segments of Eneco Group and to connect them in order to create an efficient and effective risk control system encompassing the Group and the business segments.
- The Internal Audit department started with the implementation of a supply chain-oriented audit approach in 2015. This approach should result in audits that are more relevant for the business and focus on strategy and transformation.
- Several improvement and control measures have been implemented in connection with the control of complex ICT and transformation projects and programmes.
- Business Continuity Management has been brought to a higher level; integration with regular risk management has been initiated.
- In 2015, special attention was paid to increasing risk awareness with respect to cyber security. Our strategic policy regarding information security was updated and implemented in 2015.
Audit & Risk Committee
The risk assessments and the status of risk control and mitigating measures are discussed periodically by the senior management teams of the different business segments. The main risks and measures are discussed by the Audit Risk Committee of the Board of Mangement. The Audit Committee of the Supervisory Board monitors the adequate functioning of the risk management activities as a whole. Enterprise-level risk limits have been translated into various specific policy statements, codes and guidelines for areas such as safety, trade mandates, authorisations and conduct.
In order to create an overview and be able to keep track of the consolidation and aggregation of the risks and mitigating measures, we have clustered the risks and have specified them in more detail.
The main risks associated with our strategic objectives and the measures we take in order to control these risks are further explained in the section Progress, including:
- the risk of interruptions in the supply of energy (see Reliable energy supply),
- uncertainty with respect to future government policy relating to the energy transition, the low carbon price and falling energy prices (see Investing in sustainable capacity and production),
- changing subsidy regimes, risks relating to the development of capital-intensive projects (see Substantial increase in wind energy),
- risk associated with recruiting insufficient numbers of people with the right competencies and limited focus on High Performance culture ( see Dynamic employer),
- safety risks including carbon monoxide incidents (see New saftey risks),
- ICT risks, including cyber security and business continuity (see New saftey risks),
- the risk of unbundling, changes in S&P's credit rating method, risks related to the regulation of tariffs in the regulated domain, compensation of surplus profits in the measurement domain, risks related to the large-scale roll-out of smart meters and the risk of claims related to connection and transmission rates (see Transformation and return on investment).
- Financial risks to which Eneco Group is exposed are discussed in note 32 to the consolidated financial statements: FInancial risk management.
- The section Integrity and compliance contains information on the control of compliance risks.
Our risk tolerance is categorised by the types of risk distinguished by Eneco:
The construction and operation of (sustainable) energy production facilities is a central aspect of our strategy. These activities lead to safety risks. We apply the principle of zero tolerance with respect to these risks. Accidents resulting in absence from work are considered to be significant incidents. More serious incidents (hospitalisation, fatal accident) are regarded as critical or unacceptable.
Eneco pursues a growth and transformation strategy, which encompasses substantial investments in new and existing activities. This strategy is translated into long-term financial-strategic forecasts, which are updated every six months on the basis of the latest insights. Our financial risk tolerance is derived from the financial control framework. Fitting measures are implemented for risks that may result in exceeding or not meeting limits defined in the financial control framework.
Unethical or fraudulent behaviour of employees is a major risk. Eneco can only carry out its role properly if the highest standards of conduct are applied. The Eneco Code of Conduct and the underlying guidelines define desired conduct and how to act with integrity. Considerable attention is paid to integrity awareness of management and employees during work meetings and workshops. There is an integrity hotline and employees can also contact one of the confidential counsellors for the adequate and confidential handling of integrity incidents.
A good and reliable reputation is essential to the existence of our company. The risk of not achieving our strategic goal, which is the realisation of a sustainable and reliable energy supply, is also classified as a reputation risk. Not meeting the reliability requirements with respect to our network management activities or supply activities is ranked as a top risk in this category. This is also true for not realising our commitments with respect to sustainability as agreed with WWF in the context of the Climate Savers initiative.
In Control statement
In Control statement
Each year since 2007, the Board of Management of Eneco Holding N.V. has issued an In Control statement. The Board of Management declares that is has also been 'In Control' in 2015. As a company with social responsibility, we adhere to the initial scope of the Dutch Corporate Governance code relating to internal control; in other words, adequate and effective implementation of all the objectives of the Eneco Control & Risk System (ECRS).
The Board of Management is aware of its responsibility for the adequate and effective implementation of internal control within Eneco Group. The Board of Management has applied the Eneco Control & Risk System as an instrument to guarantee that the realisation of strategic, operational and financial objectives is monitored, that reporting with respect to financial and other KPIs is reliable and that legislation and regulations are complied with.
Risk reports are prepared each quarter per business entity and at group level. These are discussed by the Board of Management and subsequent action is taken where necessary.
Every year, the different business segments carry out self-assessments, which are subjected to random inspections by the Internal Audit department. On the basis of these self-assessments, the Board of Management has identified a number of points for improvement in the areas of business continuity, information security and project management. Taking into account the combined measures taken, the Board of Management is of the opinion that the internal control system is adequate and functioned effectively in 2015. The inherent limitations of each risk management and control system must, however, be taken into account. We will therefore never be able to absolutely guarantee that we will achieve our company objectives or that no material errors, losses, fraud or violations of legislation and regulations will occur.
Forward looking statement
The Board of Management will implement Enterprise Risk Management in greater detail in 2016 using the Eneco Control & Risk System. As in previous years, we expect that the ECRS will be developed and improved further in 2016. Special attention will be given to measures relating to compliance with European legislation on privacy and the necessary activities in connection with possible unbundling of the organisation. The Board of Management has no reason to assume that the Eneco Control & Risk System will not function properly in 2016Previous paragraph:
Supply chain responsibilityNext paragraph:
Compliance with Code of Conduct statement