Leonardo’s Enterprise Risk Management (ERM) aims to identify, assess and manage enterprise risks, that it is to say threats and opportunities, which may potentially have effects on the achievement of the Industrial Plan and Strategic objectives and on the effectiveness of actions for long-term business sustainability.
This is a key requirement to maintain business value, operations and stakeholder interests in the long-term.
The ERM process also aims to support the strengthening of the Corporate governance in order to allow the Company to identify, evaluate (by adopting quantitative and qualitative methodologies) treat and monitor the risks according to common and cross-cutting rules, thus enabling the escalation of Top Risks, also with the support of a specific Risk Report system.
Enterprise risks identified and managed each for the respective area of competence by the relevant Company structure according to the roles established by the process (Process Owner/Risk Owner/Action Owner) with the support of Risk Management unit, may have the following risk impact nature:
Strategic
that is having an impact on strategic objective defined in the Company Plans, for example:
- Competitive positioning choices
- Investment/disinvestment operations
- Merger and Acquisition operations
- Commercial agreements / strategic partnerships
- Corporate reorganisation
Operational
that is having an impact on business management activities, in terms of effectiveness and efficiency of primary and support processes, for example:
- Value chain disruption
- Procurement process
- Sales process
- Administrative and accounting processes
- Information Systems (e.g. IT/cyber related matters)
Financial
that is having an impact on economic-financial figures and that can threaten debt reduction objectives, and capital structure strengthening objectives, for example:
- Credit / counterpart rating
- Currency Rate fluctuations
- Inadequate definition or management of hedging instruments
- Reduction in profitability due to high financial charges as a consequence of high debt levels
Compliance
that is having an impact on compliance with external and internal laws / regulations, for example:
- Compliance with applicable regulations of reference, such as, but not limited to: D. Lgs. 231/2001, D. Lgs. 196/2003, D. Lgs. 81/2008
- Compliance with sector / specific regulations (e.g. Trade Compliance) and universally accepted standards (e.g. ISO 37001)
- Compliance with Leonardo internal regulations and policies/procedures (e.g. Business Compliance, Anti-corruption)
Reputational
that is having an impact on the judgment and trust of the stakeholders, for example:
- Reduction in the level of customer retention and customer satisfaction
- Decrease in banks and investors trust
- Media showing negative opinion
ENTERPRISE RISK MANAGEMENT PROCESS PHASES
PLANNING OF ENTERPRISE RISK ASSESSMENT ACTIVITIES
Selection of the Company’s processes to be included in the Risk Assessment, by taking into account their relevance for the business with particular reference to Industrial Plan targets, as well as risk topics already identified in previous Risk Assessment activities.
Identification of targets related to the selected processes, taking into consideration what has been established in the Company plans in force or being defined.
Identification of targets related to the selected processes, taking into consideration what has been established in the Company plans in force or being defined.
RISK IDENTIFICATION
Risk identification, by means of support tools (i.e. Checklist, risk database), analysing the reference scenario by taking into account both internal and external risk sources. Each risk has to be described in its core components of causes/event/effects, thus allowing to determine the most appropriate treatment actions. Risk effects may have a strategic, operational, financial, compliance and reputational nature according to the classification of Company’s target on which the risk has an impact.
RISK EVALUATION
Evaluation of the Probability of Occurrence of the event of risk and evaluation of the effects of risk, by adopting quantitative methods for strategic, operational and financial impacts and qualitative methods for compliance and reputational impacts.
Definition, on the basis of a range of predefined values, of the probability and impact indices associated to the risk, with respect to which establishing the risk acceptability considering the Leonardo’s Risk Appetite, as defined for each impact nature (strategic, operational, financial, compliance and reputational). For risks with compliance nature impact, for example, the Risk Appetite is extremely low, with the aim of minimizing all risks regardless of their impact (Risk Averse – zero tolerance).
The adoption of quantitative methods allows, through the use of statistical techniques (e.g. Monte Carlo simulation), the creation of the Risk Profile and the elaboration of sensitivity analyses and stress tests with reference to the various dimensions being analysed (e.g. Orders, Revenues, EBITA, FOCF and also non-financial KPIs).
Definition, on the basis of a range of predefined values, of the probability and impact indices associated to the risk, with respect to which establishing the risk acceptability considering the Leonardo’s Risk Appetite, as defined for each impact nature (strategic, operational, financial, compliance and reputational). For risks with compliance nature impact, for example, the Risk Appetite is extremely low, with the aim of minimizing all risks regardless of their impact (Risk Averse – zero tolerance).
The adoption of quantitative methods allows, through the use of statistical techniques (e.g. Monte Carlo simulation), the creation of the Risk Profile and the elaboration of sensitivity analyses and stress tests with reference to the various dimensions being analysed (e.g. Orders, Revenues, EBITA, FOCF and also non-financial KPIs).
RISK TREATMENT ACTION PLAN
Causes/Event/Effects analysis to address the most appropriate risk treatment strategies, consistently with the Risk Appetite of Leonardo.
Computing the net benefit of identified treatment actions, selection and implementation of actions to be taken.
Computing the net benefit of identified treatment actions, selection and implementation of actions to be taken.
RISK MONITORING AND REVIEW
Periodic monitoring and review, at least quarterly, of risks and treatment actions, with identification of any emerging risks and re-assessment of the Risk Profile.
ENTERPRISE RISK REPORTING
Periodic representation, at least every six months, of Leonardo’s Risk Profile, highlighting the main enterprise risks, their evolution and the outcome of the existing treatment actions.