The Board of Directors examined and approved a model to monitor and manage the risks which are liable to prejudice the achievement of Pirelli's strategic objectives, also in line with international best practices.1
1) This approach is based on the COSO Enterprise Risk Management.
The Board deemed it appropriate to adopt a structured risk management process that, on the one hand, enables the risks to be identified promptly and completely, and on the other hand, permits the adoption of adequate measures to “manage” the risks in terms of anticipating the risks and pro-active measures, rather than simply taking reactive measures, considering the accelerating pace of economic changes, the complexity of management activities and the recent changes in laws and regulations relating to corporate governance and internal control.
It is important to observe that the Board of Directors plays a central role with reference to the “governance” of the model. Indeed, the Board is responsible for supervising the risk management process so that the risks assumed in the business are consistent with the strategies (so-called monitoring action). Furthermore, the Board defines the attitude to risk (so-called identification of the “acceptable risk threshold”) and establishes the guidelines to manage the risks which may “interfere with” or prejudice achieving the business objectives or erode critical corporate assets, in line with its top management and strategic policy-making mission.
In this purpose it’s necessary to proceed at the identification and assessment of the principal risks relating to the Company and its subsidiaries, to ensure these risks are monitored correctly (Risk Assessment) and maintaining the overall levels of exposure to risk within the risk threshold assessed as being "acceptable" (risk appetite),.
The integrated risk governance model was introduced, and three risk macro families were considered which guide the risk management objectives, the control model and the governance bodies, as outlined below:
- Risks associated with the external environment in which the Company operates, the occurrence of which is outside the Company's control. This category includes the risk areas related to the macroeconomic trends, the development of demand, the strategies adopted by competitors, technological innovations, the introduction of new legislation and the risks associated with the country (economic, safety, political and environmental). The risk management objective is to monitor the risk and mitigate the impact in the event the risk occurs. The control model is based on the adoption of internal/external tools to identify and monitor the risks, stress tests to assess the robustness of the plans, the construction of alternative scenarios to the "base" scenarios, business cases to assess the impact of significant changes to the environment conditions, etc.
- Strategic Risks, namely, risks characteristic of the reference business, the correct management of which is a source of competitive edge, or otherwise, the cause of failing to achieve planned targets (three-year and annual). This category includes the risk areas associated with the market, product and process innovation, price volatility of raw materials, production processes, financial organisational risks and risks associated with M&A operations. The risk management objective is to manage the risk using specific tools and safeguards designed to reduce the probability or to limit the impact if the risk occurs with a view to achieving the best risk-performance scenario. The control model is based on identifying and measuring the PBIT/Cash Flow@Risk when preparing the strategic/management plans, defining the risk appetite and the risk tolerance for the main risk events, introducing Key Risk Indicators in Group reporting.
- Operating Risks, namely, risks generated by the organisational structure, by the processes and by the Group systems, where assuming these risks does not produce any competitive edge. The main risk areas in this category refer to Information Technology, Security, Business Interruption, Legal & Compliance, Health, Safety & Environment risks.
The risk management objective is to achieve management via the prevention and internal control systems integrated in the business processes.
The control model is based on the development of ad hoc methods to measure the risk, define mitigation and prevention plans and the continuous monitoring of their implementation.
The Board of Directors is supported by two Risk Management Committees in relation to the various risk macro families, each Management Committee has specific areas of responsibility.
The Strategic Risks Committee with expertise and responsibility for the risks related to the strategic business choices, or due to the external environment in which the Group operates.
The Operating Risks Committee focusing on preventing and managing the risks specifically related to the organisational structure, sustainability, the processes and Group's systems.The two Risk Committees have the following responsibilities (i) to adopt and promote a systematic and structured process to identify and measure the risks; (ii) to examine the information concerning internal and external, existing and future risks to which the Group is exposed; (iii) to propose strategies to respond to the risk in relation to the overall and detailed exposure to the various categories of risks; (iv) to propose the implementation of a risk policy in order to guarantee that the risk is reduced to "acceptable" levels; (v) to monitor the implementation of the strategies adopted in response to the risk defined and compliance with the risk policies adopted.
Regarding external risks, the Enterprise Risk Management department gives support on macroeconomic and country risks by providing regular analysis and setting up econometric tool to gauge potential ramification on the tyre market.
The Management Committees avail of the Sustainability and Risk Governance Department (managed by Filippo Bettini) that includes the Risk Officer (Ms.Elena Capra) who coordinates the assessment process and guarantees the on-going monitoring of the Company's and the Group's exposure to the principal risks, while monitoring the effective implementation of the mitigation plans in the individual company departments and organisational units.
Enterprise Risk Management is a top - down process, led by Senior Management and Board, which is responsible for defining and approving strategic objectives and risks.