ESG RISKS
We have implemented Enterprise Risk Management (ERM) processes and systems for the identification, assessment and monitoring of the main business risks (so-called Risk Universe), in compliance with the requirements for listed companies set out by the Corporate Governance Code. In 2023, the Group’s risk management model was revised by developing an integrated Risk Management model: Enterprise Risk Management (ERM) – Project Risk Management (PRM).
The Group’s main business risks are identified, assessed and monitored through an Enterprise Risk Management (ERM) framework, in accordance with the principles set out in the Corporate Governance Code for listed companies.
Fincantieri has adopted an integrated ERM–PRM (Enterprise Risk Management – Project Risk Management) model, which provides for the management and monitoring of risk events through a continuous, recurring and organisation-wide process.
Risk Governance Model
The Group’s risk governance model is structured as follows:
- Board-level oversight: The Chair of the Board of Directors ensures oversight of the Internal Control and Risk Management System, promotes a strong risk culture and assesses the effectiveness of the ICRMS.
- First line – operational risk management: Management and operational units are responsible for identifying and managing risks within their respective processes. The Risk Officer supports the management of specific project-related risks and is responsible for the implementation of the integrated ERM–PRM model.
- Second line – control and coordination functions: Assigned to specific corporate functions (including the Head of Group Compliance, Anti-Corruption and Legislative Decree 231 Model, the Risk Officer and the Executive in Charge of Financial Reporting), this line is responsible for managing and monitoring specific categories of risk.
- Third line – independent assurance: The Internal Auditing function provides independent assurance on the effective functioning of the Internal Control and Risk Management System.
Risk Management Process
Risk identification in relation to the Group’s strategic objectives is a continuous activity aimed at promptly identifying and managing potential threats or opportunities that could affect the achievement of business results.
The Group’s risk catalogue is structured across multiple levels:
- Perspective
- Risk category
- First- and second-level subcategories
- Risk events
The process for defining the Group’s Risk Appetite involves identifying acceptable levels of risk in relation to strategic objectives, market conditions and the operational profile. To ensure comparability among risks, assessment scales are defined based on the following thresholds:
- Risk Tolerance: the maximum level of risk the Group is willing to tolerate;
- Risk Appetite: the level of risk the Group is willing to accept in pursuing its strategic objectives. These thresholds are proposed by the Chair of the Board, with the support of the Risk Officer, and shared within the Internal Control and Risk Management Committee.
They are defined in line with the economic performance objectives of the Group’s Industrial Plan. Probability and impact scales are established on this basis, ensuring consistent risk assessment and a clear distinction between acceptable and unacceptable levels of exposure.
As part of the risk identification process, all factors that may impact ESG (environmental, social and governance) matters are taken into account. Overall, more than 200 risk events have been identified, of which approximately 100 relate to ESG topics. In addition, the risk analysis has been integrated with a Climate Change Scenario Analysis, conducted in accordance with the principles of the Task Force on Climate-Related Financial Disclosures (TCFD), with a focus on physical and transition risks related to climate change.
Audit of Risk Management Processes
The Internal Auditing function performs annual audits of risk management processes to assess the effectiveness of the methodologies adopted, control measures in place and information flows supporting the ERM process.
Audits are carried out independently, in accordance with internationally recognised standards, and provide a third-line safeguard aimed at the continuous improvement of the system.
Promotion of a Risk Management Culture
The Chair of the Board of Directors ensures that the Internal Control and Risk Management System is an integral part of the Group’s operations and culture. To this end, appropriate information, communication and training processes are implemented, together with remuneration and disciplinary systems designed to encourage sound risk management and discourage behaviours inconsistent with these principles.
Risk culture is further promoted within the Company through dedicated training programmes, which are integrated into training processes for non-executive personnel.
The disciplinary and remuneration systems include mechanisms that incentivise effective risk management and, where relevant, risk criteria are taken into account in the evaluation of new projects, strategic initiatives and operational processes.
Audit of Risk Management Processes
The Internal Auditing Function performs annual audits of risk management processes in order to assess the effectiveness of the methodologies adopted, the control framework, and the information flows supporting the ERM process.
The audits are conducted independently, in accordance with internationally recognized standards, and provide a third line of defense aimed at the continuous improvement of the system.
Promotion of Risk Management Culture
The Chairman of the Board of Directors ensures that the Internal Control and Risk Management System (ICRMS) is an integral part of the Group’s operations and culture, by implementing appropriate information, communication and training processes, as well as remuneration and disciplinary systems that incentivize sound risk management and discourage behaviors that are inconsistent with the principles set out in such processes.
Furthermore, risk culture is promoted within the Company through dedicated training courses, integrated into the training processes for non-executive personnel.
The disciplinary and remuneration systems include mechanisms that incentivize proper risk management and, where relevant, risk criteria are taken into account in the assessment of new projects, strategic initiatives or operational processes.
THE MAIN RISKS
The risks included in the Group’s Risk Universe have been assessed — both at inherent and current residual level — by middle and top management.
Following this evaluation, the most material or emerging risks have been identified and analysed in relation to the Group’s strategic objectives and the broader external context.
These risks have been classified according to a structured framework based on perspective, category and subcategory, and are accompanied by information on their potential impacts and the main mitigation measures currently in place.
Below are the risks most closely associated with sustainability issues relevant to Fincantieri.
DESCRIPTION | VALUE CHAIN LEVEL | Orizzonte temporale |
ENVIRONTMENTAL | ||
E1 – CLIMATE CHANGE | ||
Risk of misalignment in the adoption and implementation of emerging technologies, including those related to the green transition | Own operations | Short to medium-term |
Risk of incurring unexpected costs (increased OPEX) for adaptation/recovery due to interruption of operations at production sites due to environmental/climate/health/extreme events | Own operations | Short to medium-term |
Risk of inadequate management of atmospheric emissions | Own operations | Short to medium-term |
E2 – POLLUTION | ||
Risk of inadequate management of atmospheric emissions | Own operations | Short-term |
Risk of potential soil/subsoil contamination due to accidents/spills | Own operations | Short-term |
Risk of potential contamination of sea water due to accidents/spills | Own operations | Short-term |
E3 – WATER AND MARINE RESOURCES | ||
Risk of inadequate management of water discharges | Own operations | Short-term |
E5 – RESOURCE USE AND CIRCULAR ECONOMY | ||
Risk of not meeting market demand due to a shortage of raw materials | Value chain | Short-term |
Risk of inadequate management of hazardous and non-hazardous waste | Own operations | Short-term |
SOCIAL | ||
S1 – OWN WORKFORCE | ||
Risk of non-compliance with national and international data protection regulations | Own operations | Short-term |
Risk of non-compliance with national and international legislation on cyber security (e.g. Data Protection, Military Regulations, National Cybersecurity Perimeter) | Own operations | Short-term |
Risk for the safety and security of personnel travelling to places at risk of terrorism/ kidnapping/ acts of violence | Value chain | Short-term |
Risk linked to relations with trade union representatives | Own operations | Short-term |
Risk of industrial action/strikes causing a production slowdown or stoppage | Own operations | Short-term |
Risk of lack of staff retention due to inadequate career growth paths or non-alignment with market trends and/or inadequate staff empowerment (skills enhancement) model | Own operations | Short-term |
Risk of lack of staff retention due to significant salary deviation from competitors or comparable sectors | Own operations | Short-term |
Risk related to the loss of key personnel, Group retention capacity | Own operations | Short-term |
Risk of labour disputes | Own operations | Short-term |
Risk of potential exposures impacting on human health and safety (e.g. leakage of fumes, paint, chemicals) | Own operations | Short-term |
Risk of failure to adopt the provisions of existing and emerging occupational health and safety regulations in production processes | Own operations | Short-term |
S2 – WORKERS IN THE VALUE CHAIN | ||
Risk of non-compliance with national and international data protection regulations | Own operations | Short-term |
Risk of non-compliance with national and international legislation on cyber security (e.g. Data Protection, Military Regulations, National Cybersecurity Perimeter) | Own operations | Short-term |
Risk of unavailability of external skilled labour to meet production needs | Value chain | Short-term |
S4 – CONSUMERS AND END-USERS | ||
Legal and reputational risks underlying the conclusion of commercial assistance agreements, offset obligations and the establishment of business relations with the Company's customers | Own operations | Short-term |
Risk of non-compliance with national and international data protection regulations | Own operations | Short-term |
Risk of non-compliance with national and international legislation on cyber security (e.g. Data Protection, Military Regulations, National Cybersecurity Perimeter) | Own operations | Short-term |
GOVERNANCE | ||
G1 – BUSINESS CONDUCT | ||
Risk of non-compliance with Legislative Decree No. 231/2001 (e.g. updating of the Organizational, Management and Control Model following the introduction of new crime risks) | Own operations | Short-term |
Risk related to the definition, management and updating of the anti-corruption management model with respect to ISO 37001 and maintenance of the relevant certification | Own operations | Short-term |
Risk of non-compliance with national and international data protection regulations | Own operations | Short-term |
Risk of non-compliance with national and international legislation on cyber security (e.g. Data Protection, Military Regulations, National Cybersecurity Perimeter) | Own operations | Short-term |
Risk of conflicts of interest in purchasing relationships with Suppliers | Own operations and value chain | Short-term |
Risk of establishing relationships with commercial counterparties (suppliers) of dubious integrity | Own operations and value chain | Short-term |
Risk linked to the presence of suppliers on relevant Sanctions Lists (Italian, US, EU and UN sanctions lists) | Value chain | Short-term |
Risk of Advanced Persistent Threat (cyber espionage by organized and/or state-sponsored groups) | Own operations | Short-term |