Risk governance
The Board of Management has final responsibility for the execution of risk management, together with the management of the business units. They are assisted by support departments such as Corporate Risk Management, Safety, Health, Environment & Quality (QHSE), Business Continuity Management, Security, Corporate Affairs (including Privacy Office), Compliance & Integrity and Treasury. The Asset Management department is tasked with making proposals for replacement and other investments based on a risk analysis. We apply the ISO-NTA 8120 (ISO 55000) standard for this. The operational asset risks are identified in the investment plan. The investment plan for the years 2022-2024 is available on www.stedin.net. Internal Audit performs audits and reports on the results to the Board of Management as well as the Supervisory Board’s Audit Committee. The topic of Risk is an item on the agenda of the Audit Committee of the Supervisory Board four times a year. A detailed description of our risk management governance is available on www.stedingroep.nl.
Risk management process
Stedin Group’s Enterprise Risk Management (ERM) framework covers both long-term and short-term uncertainties. For the most part, this ERM framework has been translated into an In-Control Framework (ICF). This ICF consists of the risk categories Tactical/Operational, Financial, Fraud, Business Continuity, Compliance/Privacy, Information Security and Financial reporting. We based the design of this framework on the COSO framework and the ISO 31000 standard. The risk management process is a permanent part of the standard business planning and control cycle.
Long-term uncertainties
We update and report on the development of long-term risk appetite and the related control to the Strategy MT once every quarter. We compare the uncertainties to the risk tolerance. The long-term uncertainties also serve as input for the selection of change programmes within Stedin, are part of the financial-strategic forecasts and are incorporated in the annual planning process. In this way, the long-term uncertainties are addressed as much as possible in the planning. For further details about the long-term uncertainties, see the section entitled Most important strategic risks and opportunities for Stedin Group in 2022.
Short-term uncertainties
Short-term uncertainties have a time horizon of approximately one year. Operational risks such as service breakdowns and failures, fraud and reporting risks are examples of short-term uncertainties. We identify risks and opportunities as well as the associated controls with regard to short-term uncertainties. The short-term uncertainties and controls are linked to the business, supply chain and departmental objectives included in the supply chain and departmental plans. We review and update the risks and uncertainties at least once a year in risk and control sessions with management. The departmental management periodically reviews by means of self-assessment whether the controls are effective, in connection with the ‘Jointly in Control process’. The departmental management also determines the improvement potential and actions. Every quarter, we discuss the outcomes of these self-assessments with the operational management. We report on developments in the risks and the effectiveness of the controls applied to the Board of Management via monthly business unit reviews. In addition, the management of each business unit reports to the Board of Management in a Letter of Representation twice a year. In that Letter, they report on integrity, strategy and objectives, risks and controls, external reporting, and laws and regulations. Management uses the internal ‘In-Control guidelines’ to give thorough consideration to each of these elements. These statements serve as an important basis for the In-control statement of the Board of Management. If there are any issues, risk management determines their impact on the advice for the overall In-control statement of the Board of Management.
Risk appetite
We have to incur a certain degree of risk in order to achieve our appetite. Given the public and regulated nature of Stedin Group, it is generally inclined to be more risk averse and avoidant concerning its general risk tolerance. The extent to which we are prepared to be exposed to risks (the risk tolerance) differs for each risk category:
With regard to both risks and opportunities, Stedin Group is continually seeking a balance between its role in society, the available financial and other resources and the environment.
Strategic - Neutral: Stedin Group is prepared to take moderate risks to achieve its mission, vision and strategic objectives.
Operational - Avoiding: Stedin Group is risk averse in connection with risks concerning supply security. In this light, Stedin Group seeks a balance between supply security and social and other (social) affordability.
Financial - Avoiding: Stedin Group is a capital-intensive enterprise. In order to ensure that our service provision to customers remains both reliable and affordable, we aim for an A category rating from Standard & Poor’s. We do not accept any risks that may endanger that rating. The reliability of our financial reporting is one of the preconditions for retaining this rating.
Compliance - Averse: We perform a regulated task in the energy world. We therefore seek to comply with all applicable laws and regulations.
Safety - Averse: The electricity and gas infrastructure is potentially dangerous (and can pose a threat to lives). We have the lowest possible risk tolerance in connection with the safety of our employees and our environment.