Risk governance

The Board of Management has final responsibility for the execution of risk management, together with the management of the business units. They are supported by support departments specialising in Corporate Risk Management, Safety, Health, Environment & Quality (VGMK), Business Continuity Management, Security, Corporate Affairs, Compliance & Integrity and Treasury. The Asset Management department is tasked with making proposals for replacement and other investments based on a risk analysis. We apply the ISO-NTA 8120 (ISO 55000) standard for this. The operational asset risks are identified in the investment plan. The investment plan for the years 2020-2022 is available on www.stedin.net. Internal Audit performs audits and reports on the results to the Board of Management as well as the Supervisory Board's Audit Committee. The topic of Risk is an item on the agenda of the Audit Committee of the Supervisory Board twice a year. A detailed description of our risk management governance is available on www.stedingroep.nl.

Risk management process

Stedin Group's Enterprise Risk Management (ERM) framework covers both long-term and short-term uncertainties. For the most part, this ERM framework has been translated into an In-Control Framework (ICF). This ICF consists of the risk categories Operational, Financial, Fraud, Business Continuity, Compliance/Privacy, Information Security and Financial reporting. We based the design of this framework on the COSO framework and the ISO 31000 standard. The risk management process is a permanent part of the standard business planning and control cycle.

Long-term uncertainties

We update and report on the developments of the long-term uncertainties and the related control to the Strategy MT once every quarter. We compare the uncertainties to the risk tolerance. The long-term uncertainties also serve as input for the selection of change programmes within Stedin, are part of the financial-strategic forecasts and are incorporated in the annual planning process. In this way, the long-term uncertainties are addressed as much as possible in the planning. Further information on the long-term uncertainties can be found in the section on ‘Most important strategic risks and opportunities of Stedin Group in 2021’.

Short-term uncertainties

Short-term uncertainties have a time horizon of approximately one year. Operating risks such as service breakdowns and failures, fraud and reporting risks are examples of short-term uncertainties. We identify risks and opportunities as well as the associated controls with regard to short-term uncertainties. The short-term uncertainties and controls are linked to the business, supply chain and departmental objectives included in the supply chain and departmental plans. We review and update the risks and uncertainties at least once a year in risk and control sessions with management. The departmental management periodically reviews by means of self-assessment whether the controls are effective, in connection with the 'Jointly in Control process'. We also define potential improvements and actions. Every quarter, we discuss the outcomes of these self-assessments with the operational management. We report on developments in the risks and the effectiveness of the controls applied to the Board of Management via monthly business unit reviews. In addition, the management of each business unit reports to the Board of Management in a Letter of Representation twice a year. In that Letter, they report on risks and controls, external reporting and integrity. Two further elements were added in 2021: strategy and objectives and legislation and regulations. In addition, management uses the internal ‘In-Control guidelines’ to give thorough consideration to each element. These statements form an important basis for the In-control statement of the Board of Management.

Risk tolerance

We have to incur a certain degree of risk in order to achieve our organisational objectives. Given the public and regulated nature of Stedin Group, the general risk tolerance tends predominantly toward risk aversion and avoidance. The extent to which we are prepared to be exposed to risks (the risk tolerance) differs for each risk category:

With regard to both risks and opportunities, Stedin Group is continually seeking a balance between its role in society, the available financial and other resources and the environment.

• Strategic – Neutral: Stedin Group is prepared to take moderate risks to achieve its mission, vision and strategic objectives.
• Operational – Avoiding: Stedin Group is risk averse in connection with risks concerning supply security. In this light, Stedin Group seeks a balance between supply security and social and other affordability.
• Financial – Avoiding: Stedin Group is a capital-intensive enterprise. In order to ensure that our service provision to customers remains both reliable and affordable, we aim for an A category rating from Standard & Poor’s. We do not accept any risks that may endanger that rating. The reliability of our financial reporting is one of the preconditions for retaining this rating.
• Compliance – Averse: We perform a regulated task in the energy world. We therefore seek to comply with all applicable laws and regulations.
• Safety – Averse: The electricity and gas infrastructure is potentially dangerous (and can pose a threat to lives). We have the lowest possible risk tolerance in connection with the safety of our employees and our environment.