We have Enterprise Risk Management (ERM) processes and systems to detect, evaluate and monitor the main Company risks (Risk Universe), to identify, assess, and monitor the Company’s key risks (Risk Universe), in full compliance with the Corporate Governance Code for listed companies.
In 2023, we reviewed the Group’s risk management framework by developing an integrated ERM and Project Risk Management (PRM) model.
Our risk identification process also considers all factors that could impact ESG (Environmental, Social, and Governance) matters: of the 200 risk events identified, 68% are ESG-related. Additionally, the risk analysis was strengthened by incorporating a Climate Change Scenario Analysis, conducted in accordance with the principles of the Task Force on Climate-Related Financial Disclosures (TCFD), with particular attention to physical and transition risks associated with climate change.
Risks were evaluated both at the inherent and current residual levels by the Company’s middle and top management. Based on this evaluation, the most significant and emerging risks were identified and further examined, considering both strategic objectives and the external environment.
ESG risks were grouped into 19 main sub-categories, 9 of which have been classified as significant (marked with the letter "R" in the sections below).
SUSTAINABILITY RISKS:
GOVERNANCE
Product development (R)
Risk that the Group does not monitor and/or invest in technological developments for products/services with a consequent adverse impact on competitiveness, on leadership in complex high-potential markets and on the development of more efficient and sustainable solutions that include systems with low emissions of greenhouse gases or other pollutants and that are energy efficient. This also includes the risk associated with technological transition, which, if poorly designed and executed, can lead to long lead times, high costs, operational inefficiencies and low product/process quality.
Cyber security (R)
Risk that the Group suffers a cyber attack aimed at identity, data and information theft (confidential/insider information, sensitive data, bank credentials, etc.), temporary suspension of Company services or sabotage of computer systems, exploitation of the computing power of Company computers for criminal purposes, resulting in reputational damage, loss of turnover, loss of customers and suppliers, penalties and claims, and business interruption.
Supply chain (R)
Risk of not conducting adequate due diligence on potential suppliers, not monitoring their performance over time and/ or not developing solid and long-lasting relationships for medium/long-term business development in line with current and emerging regulations and the Group’s sustainability principles with consequent economic, legal and reputational impacts. This risk includes aspects of economic and financial soundness, capacity and concentration of suppliers in core areas, and control over outsourced activities.
Personnel/Third-Party Integrity (R)
Risk of relationships with third parties (customers, suppliers, strategic partners) of dubious integrity, in terms of ethics and legality in their conduct of business, and that leaders/senior managers or, more generally, Group employees may be involved in improper, unethical or fraudulent conduct, compromising stakeholders’ trust, threatening the company’s reputation and potentially negatively affecting the company’s financial and operational stability.
Brand reputation (R)
Risk that damage to the image (brand) may expose the Group to the loss of customers, profits and competitive advantage. This risk may, for example, arise due to activities/behaviour that do not protect the interests of stakeholders (e.g. customers, the community), either by people within the organization or by external parties with whom the company has business relationships. It includes the risk arising from the dissemination of false and misleading information in digital media (e.g. AI and deep fakes).
Organization and processes (R)
Risk that the Group’s organizational model is unable to support the Group’s business transformation and growth and/or that the system of powers and proxies is not consistent with the Company’s organizational system, risk management strategies, competences and actual monitoring and supervision possibilities, or is not clearly and formally publicized both outside and inside the Company, resulting in activities that harm the interests of third parties and the Company itself. This risk may arise if, for example, there is an inadequate or no reorganization of functions, roles and responsibilities, company processes and procedures, a lack of the necessary skills to manage change, or an unclear description of the powers assigned and their limits.
Directives and standards
Risk of non-compliance with laws, regulations and company by-laws, primary or secondary regulations of emerging countries, and sector-specific regulations, as a result of the evolution and tightening of the national and international legal and regulatory environment. This includes directives and regulations on climate change adaptation and mitigation, business and trade compliance, national and international legislation on cyber security and anticorruption, EU, national and international legislation on the protection and processing of personal data, and rules and regulations applicable to listed companies.
ENVIRONMENTAL
Climate change (R)
Risk that climate change and associated weather phenomena (acute: such as storms, floods, earthquakes, fires or heat waves, and chronic: such as temperature changes, rising sea levels, reduced water availability, loss of biodiversity, etc.), may damage assets (plants, buildings, etc.), cause a production slowdown or stoppage for the Company and/ or suppliers, require unscheduled work to make safe or to adapt to ecological transition.
Commodity (R)
Risk that changes in the price of raw materials (e.g., steel, copper) and commodities (e.g., gas, energy), including those from renewable sources, will affect the Company’s production costs. This risk may arise for example as a result of catastrophic events affecting the supply chain or as a result of changes in customs policies or international agreements regarding import/export.
Environmental (R)
Risk that the Group, in carrying out its production activities, may cause damage to environmental matrices (water, land, air) with consequent harm to the local territory and the community both in the short and medium/long term. This risk may arise due to a lack of timely or adequate transposition of existing and emerging regulations into internal processes, a flawed system of management, control and mitigation of potential environmental impacts arising from its activities (e.g. pollution, energy consumption, environmental disaster, damage to biodiversity) or poor training, information and awareness raising given to individuals.
Carbon Management
The risk refers to the possibility that the Group will encounter challenges related to the management of greenhouse gas (GHG) emissions and related environmental issues. This risk includes potential exposure to regulatory changes and financial impacts arising from carbon or environmental taxes, and reputational risks related to the Group’s sustainable practices and environmental impact.
SOCIAL
Health & Safety (R)
Risk that the Group does not invest adequately, including through information and awareness-raising activities, in the protection of health and safety in the workplace, with consequent harm to its own employees and third parties involved in Company activities.
Staff attraction and retention (R)
Risk that the Group is unable to attract and retain highly qualified and competent management personnel with a high level of diversity in terms of age, nationality and gender, or to integrate figures capable of managing the Group's growth and ensuring business transformation into the organizational structure. Disruption of professional relations between the Company and key figures could compromise the achievement of the Company's strategic and operational objectives. This includes the risk that the Company may not be able to offer appropriate remuneration compared to the market or adequate benefits or welfare tools in accordance with the expectations of employees to ensure their loyalty (for example improving the balance between work and personal needs).
Performance management
Risk that the Company does not evaluate and monitor employee performance against assigned targets to the detriment of employee development and the Company's sustainable growth. This risk may derive from individual performance targets that are not aligned with the strategic objectives or specific enough to guide behaviour in support of the corporate strategy, and/ or from the absence of adequate indicators to measure staff performance not only in economic terms but also in terms of sustainable development.
Management System
Risk that the management systems adopted by the Group, understood as the set of procedures, information flows and information systems, are inadequate and/or insufficiently integrated and/or obsolete with respect to the changing needs of the company and what the market offers, jeopardizing the achievement of the corporate objectives, the maintenance of the competitive advantage achieved or the maximization of the return for stakeholders.
Clients
Risk that the company does not pay proper attention to the needs of its customers and to improving the product and service offered, resulting in an inability to meet or exceed their expectations.
Stakeholder engagement & Public Relation
Risk that the Group does not adopt an adequate stakeholder engagement and public relations strategy aimed at building and consolidating long-term relationships with stakeholders. This risk includes corporate communications on sustainability to meet the rating objectives by ESG agencies, disclosure to the market and investors, dialogue with trade union representatives, and relations with institutions and governments aimed at building consensus on issues that are relevant to corporate strategy. Inefficient relationships with local, national and international counterparties (local cities and authorities/associations, legal and government authorities, industrial associations, SMEs, etc.) can damage the Company's image and reputation, diminish its credibility and creditworthiness, and compromise its competitiveness and operations.
Protection of equal opportunities
Risk that the Group does not implement personnel development policies aimed at protecting diversity, fairness and inclusion and promoting equal opportunities. This risk may arise from the non-existence of or discontinued investment in staff awareness-raising and the absence of appropriate means of protection against discrimination.
Human rights
Risk of causing, directly or indirectly, ‘adverse’ impacts on people along its value chain, with reference to its own operations (e.g. employees) and those of its business partners (e.g. contractors’ workers)
Emerging risks
Emerging risks are newly developing or rapidly evolving threats that could have a significant impact on organizations, economies, societies, or the environment. These risks may stem from technological, social, environmental, economic, or geopolitical shifts and are often characterized by high uncertainty and complexity, making them challenging to predict and manage.
In our Enterprise Risk Management (ERM) model, we focus on identifying changes in the external landscape to spot events or macro-trends that could materially affect Fincantieri or the broader industry in the medium to long term (3-5 years or beyond). As a result, building resilience and developing proactive mitigation strategies are crucial to managing these risks effectively.
The two key emerging risks we have identified are:
ARTIFICIAL INTELLIGENCE
Impact Description
We closely monitor the evolving landscape of artificial intelligence (AI). However, there is a risk that competitors who adopt AI earlier may develop more advanced technologies and processes, improving their operational efficiency and product quality. This could attract customers seeking cutting-edge solutions, potentially leading to a loss of clientele and market share for our Group.
Mitigation Actions
We have integrated AI-related risks into our Enterprise Risk Management (ERM) framework to ensure a systematic and proactive approach to managing these risks. Our approach includes:
- Business Impact Assessment: During our risk assessments, we evaluate not only AI’s potential impact on current operations but also how competitors' adoption of AI might affect our competitive position. This includes the risk of losing market share to rivals leveraging AI for operational efficiency and innovation.
- Ongoing Monitoring: We will continuously monitor AI-related risks over the short, medium, and long term. This ongoing monitoring allows us to quickly identify emerging threats or changes in the AI landscape and adjust our business strategies accordingly.
- Review of Mitigation Measures: The inclusion of AI risks in our risk management model ensures regular reviews of the effectiveness of our mitigation efforts. We will evaluate whether the actions taken to reduce AI-related risks are sufficient and up to date with technological and market developments.
- Transparency and Communication: Managing AI risks through our ERM framework enhances both internal and external transparency. It fosters clear communication across all levels of the company and with stakeholders, enabling us to respond more swiftly to AI-related challenges.
BIODIVERSITY
Impact Description
Shipbuilding relies on natural resources like metals, wood, and other materials, often sourced from natural habitats. Overuse or unsustainable extraction of these resources can damage ecosystems and reduce biodiversity. Failing to properly assess biodiversity risks could harm the company’s reputation, result in public criticism, legal actions, fines, and financial penalties, and lead to short-term financial losses. In the long run, it may also cause economic setbacks due to the decline in ecosystem services.
Mitigation Actions
We have incorporated biodiversity risks into our enterprise risk management model, launching a targeted approach to monitor the evolution of this increasingly significant global risk. Our mitigation efforts focus on the responsible use of materials throughout the design, research and development, and construction phases. We actively promote sustainable production technologies and practices aimed at minimizing the environmental impact of our operations.