Академический Документы
Профессиональный Документы
Культура Документы
« To better manage our risks so as to better perform and to lead the Group
transformation to a success »
create and maintain the value, assets and reputation of the company, as well as internal
motivation;
encourage a level of risk-taking that is reasonable in social, human and legal terms, acceptable
to the public and economically sustainable;
comply with legal and regulatory requirements and the ENGIE Group's rules and values.
It examines and approves the Company's major risk review regularly enough to keep up with the
changing situation.
Entities Heads define and implement specific risk policies in line with the framework set by the Group
and within the limits of their power to delegate. They determine the global level of the target exposure
for a given time frame, plus, if necessary, a target exposure limit and/or steps for improvement.
Entities Heads oversee their Entity's exposure to risks. To that end, they implement the risk management
process, meaning that they are responsible for identifying, assessing and classifying their risks and for
elaborating and implementing associated treatment action plans, then monitoring their effective
implementation and efficiency. Management reports include a dashboard featuring a set of indicators to
help them monitor their progress on exposure to the main risks.
Risk-taking that is reasonable in social, human and legal terms, acceptable to the public and
economically sustainable is a factor used to assess individual performance as part of the Management
Way (Business Leadership).
The Entity's Board of Directors must "determine the acceptable risk profile for the Entity and ensure that
the Entity's organisation, procedures and culture enable it to manage risks in a satisfactory manner.
Management is responsible for designing and implementing the risk management systems and ensuring
that they are both comprehensive and effective. Directors must pay special attention to the risks that
pose the most direct threat to the Entity's activity, as determined by a risk map prepared by the Entity.
Finally, they must ensure that communications with shareholders on these matters are complete and
accurate." (Extract from the ENGIE Director's Guide).
Each Entity (BUs, legal or managerial Entities within BUs, Operational Functions such as NDD, RTD,
Strategic Sourcing and Supply Division, GBS….and Functional Divisions) appoints a CRO who reports
directly to the Entity Head (or CEO) and sits on the Entity's Management Committee.
Candidates for the role of BU Chief Risk Officer include the Chief Financial Officer, the Director of
Strategy and the General Secretary. The Chief Risk Officer sits on the BU's Commitments Committee.
The CRO determines the BU's overall exposure to risks on behalf of the CEO and assists the CEO with
managing it :
in ongoing activities, in terms of the risk appetite/risk mandate defined by the Group;
in projects under development, in terms of the Entity's capacity to manage risks.
As they go about their work, CROs must be independent, business-minded and vigilant with a view to
testing the resilience of the business model, better anticipating emerging risks and preventing the
occurrence of operational risks (or at least limiting their impact) at an acceptable cost, given what is at
stake.
He complies with the Group's Code of Ethics and the professional code of ethics set out by FERMA
(Federation of European Risk Management Associations) (available on the ERM SharePoint1).
He oversees competency development and progress on maturity in Risk Management within his Entity:
i) Managers who make decisions on taking risks; ii) Risk Officers who act as Business Partners, with
the primary role of advising and alerting.
1
https://engie.sharepoint.com/ERM/Governance/Forms/4-Code of Ethics
The Risk Officer reports to the CRO and is skilled in identifying, analysing and assessing risks and
determining measures for treating them. He acts to inform operational and strategic decision-making.
He provides an objective overview of risks and, in his role as Business Partners, advise managers with
a view to reducing risks or taking more risks to optimise profitability. He performs this task for both
ongoing activities and projects, always complying fully with laws, regulations and Group policies.
The mission of Entity Risk Officer is given to an employee who has received specific training in both
recurring activities and projects. The expected level of expertise is determined by the challenges posed
by the Entity's activities or the complexity of its projects. Risk Officers actively participate in the ERM
CoP to keep their professional skills up to date. They comply with the Group's Code of Ethics and the
professional code of ethics set out by FERMA (Federation of European Risk Management Associations)
(see above).
Tasks are cascaded in the Group Entities and are tailored to their size and their activities.
In its functional role, it develops, on both professional practices and the experience within the Group
basis :
The definition of the risk appetite for the Group's activities, in partnership with the Metiers,
the Functional Divisions and the Operational Functions;
The watch on emerging risks with a view to pinpointing new risk scenarios as quickly as
possible and preparing for them in an optimal manner;
The support and advise to the BUs to help them achieve a greater competency level in
terms of risk management and enable them to fully perform all the tasks assigned to them;
The risk culture among the Group's Senior Executives and Managers and Risk Officers'
expertise level;
The support from ERM and PRM (Project Risk Management): methods, tools, training and
communication (available on ERM SharePoint2).
2
https://engie.sharepoint.com/ERM/Methods & toolkit
The Risk Management Division maintains relations with the other Functional Divisions and Operational
Functions and with the Metiers with a view to promote smoother integration of Risk management into
the overall management of ENGIE's activities.
This guide aims to highlight any weak points that may be used against the company, as well as any
strategic actions that may offer it a competitive advantage.
ENGIE Risk Management information is sensitive. As such, it is governed by management policies and
classified information in compliance with Protection of intangible asset Policy Group (ENGIE 2015 –
005) :
This information will still be considered adequately protected if it is distributed specifically to managers
so that they may implement the defined Risk Management actions.
"Any possible event likely to have a positive or negative impact on the Company’s continuity,
its reputation or the achievement of its strategic, financial or operational objectives."
The risk catalogue and the analysis guide for each Risk Family
The Group risk catalogue is the first port of call for identifying risks: it provides an overview of most of
the risks encountered by the Group in the course of its activities, though it is not exhaustive (catalogue
available on the ERM SharePoint3 and integrated in E- Risk, the risk management tool).
CROs/ROs can consult the practical information sheets that have been drafted for certain risk types
(e.g. Health and Safety, Ethics and Compliance, etc.) as a tool to assist them in their work (Health and
Safety, Ethic and Compliance, etc. available on the ERM SharePoint 4).
In addition, CROs/ROs can bring together a multidisciplinary team at various levels of their Entity with a
view to brainstorming on emerging or fast-changing risks, or, in the case of new activities for the Entity,
opening up a free and frank discussion of possible risks.
Causes may be direct (i.e. directly causing the risk to occur) or indirect (i.e. encouraging the risk to
occur, ahead of the action-reaction chain, and/or exacerbating the risk's consequences). They are
typically analysed using causal trees. It is worth looking into the primary causes of risks to increase Risk
Management effectiveness.
The consequence of a risk can also be the cause of the risk it leads to (for example, in the case of
dependent risks). Whether an event is classified as a cause or a consequence depends on one’s
viewpoint.
CAUSES CONSEQUENCES
Loss of
Management Financial losses on opportunities
Competencies the result
Organisation Asset value losses
Event
Machines Damage to image….
Raw Environment…
materials Human losses
3
https://engie.sharepoint.com/ERM/Methods & toolkit/risk catalog
4
https://engie.sharepoint.com/ERM/Methods & toolkit/ERM guidelines/ specific guides per risk family
Although assessments must be representative, they do not necessarily have to be very specific.
Nevertheless, the scales involved must be sufficient for determining whether the risk is potentially
catastrophic or, on the contrary, minimal.
The impact of a risk measures the consequences of the risk's occurrence. There are two dimensions
to this (financial impact and non-financial impact). It is advisable to assess both the financial and non-
financial impact for every risk.
Financial impact
The financial impact is the total cost to the Group, over a period of 6 years (excluding market risks
assessed avec a period of 3 years).
The financial impact is assessed in terms of deviation from the MTP's base case scenario (3
years) and forecasted modelling over of 3 following years, in compliance with the financial
process (see below subsection 3.5 coordination with strategic and financial processes).
All of the different types of impact are examined, and their type specified (e.g. EBITDA, CAPEX, below
EBITDA, assets value, etc.).
Financial quantification of the risk's impact is an essential component for assessment. Financial
managers should be involved in the process so that they can confirm the assessment (Business Control,
Insurance Department, and so on).
The financial impact is assessed on a scale of 1 to 4, with 1 being the least and 4 the most catastrophic
impact. It is typically compared to the entity's EBITDA cumulated on 6 years :
Value range
Score Impact level (% of reference quantity (generally EBITDA) cumulated
on the MTP horizon)
1 Low < 1%
2 Moderate Between 1% and 5%
4 Severe Between 5% and 15%
5 Catastrophic > = 15%
Changes in a risk from one year to another should be expressed in reference to the residual risk.
However, all comments on the change need to take account of the total risk (share integrated into the
MTP out of 'prudence' and residual share).
Non-financial impact
The non-financial impact measures the consequences for the Group (and where applicable, the
stakeholders) of non-financial aspects such as:
the human impact: health and safety;
the Group's image or reputation;
the environment;
the legal impact;
the social or societal impact.
The assessment will be performed with regard to the criterion with the highest impact and will take into
account the long-term or limited nature of non-financial impact, especially for the Group's image and
reputation.
The non-financial impact is assessed on a scale of 1 to 4, with 1 being the least and 4 the most
catastrophic impact.
Score Impact level Description (at least one of the criteria below may result)
Occurrence likelihood measures the probability of the risk occurring within a particular time frame.
When there are no statistics, assessing likelihood may be guided by various factors, such as past
events, common sense and experience. It is advisable to compare several different viewpoints and sets
of data.
The probability of occurrence is assessed on a scale of 1 to 4, with 1 being the lowest probability level
and 4 the highest:
likelihood
Score Value range Comments
level
2 Rather unlikely 5% - 20% There is a possibility that the risk may occur.
It is more likely that the risk will occur higher than the
4 Likely >= 50%
risk not occurring.
Recurring risk
Recurring risk events are risks that are susceptible to arise every year, with the same likelihood and
impact. They are specific events that will certainly occur, without knowing how many times they will
occur over a 6 years horizon.
Once the annual likelihood and impact of an event have been determined, the Excel simulator (available
on the ERM SharePoint5) works out the probabilities and impacts over the desired period
(see appendix 4).
Example
Description of risk: Failure to achieve the sales development targets for energy services.
MTP reference scenario over 3 years period and forecasted modelling over the 3 following
years: the volume of energy services sales to rise by 5% per year, with a gross margin (EBITDA) of
10% – i.e. a cumulative EBITDA of €120 million over 6 years period.
Risk scenario: Falling energy prices make investments less profitable in the energy sector. The sales
volume remains in line with the MTP for 2018 and 2019 (deals already signed) but falls off towards the
end of the period, returning to 2017 levels. Beyond the drop in turnover, the margin shrinks due to
increased competition. This reasonably pessimistic scenario has a cumulative likelihood of 30% and
cumulative impact of -€80 million cumulated on 6 years.
(Year-by-year breakdown: 2018 and 2019: €0 million; 2020-2023: -€20 million/year.)
Extreme scenario: Rather than a slow decline in margins and service volumes, we may encounter a
disruptive scenario such as sudden involvement of intermediaries like digital companies or
manufacturers.
Equipment manufacturers install sensors then gather our customers' data so as to offer them energy
optimisation services. Market losses are gradual but exponential as the technology evolves. ENGIE is
relegated to being a second-tier service provider that just implements the manufacturer's
recommendations. Loss of margins and sales: €200 million.
Time risk horizon (or occurrence) corresponds to the period at which the risk is likely to occur. It is
closely to selected scenario.
5
https://engie.sharepoint.com/ERM/Methods & toolkit/ERM guidelines/Calculation tools
the values at risk – both financial (such as capital employed, EBITDA or net result (Group
share)) and non-financial (such as stakeholder reputations);
non-financial indicators : availability rate, satisfaction rate, accidental injury rate, and so on;
the exposure limits or alert thresholds for defined criteria (e.g.: maximum amount of capital
employed per country, volumes not covered in the event of market risk).
These criteria and limits are defined in specific risk policies, which also set out governance for the risk,
its treatments measures, and monitoring indicators.
For each risk identified by the Entities, the Entity Head sets a target risk level denoting the exposure
level or degree of risk-taking that would be acceptable, in accordance to line with laws and the risk
appetite determined by the Group.
The target risk is expressed by a target impact and likelihood level or is defined by financial or non-
financial indicators.
The risk management strategy is the overall approach chosen to manage the risk. It might be very
varied. The strategy will be all the more effective if it has been consciously chosen, built and tailored to
match the context of both the Entity and the risk rather than the result of a number of uncoordinated
initiatives. The various options available are summarised in the table below and described in following
subsections.
Management
Management BEFORE THE EVENT
AFTER THE EVENT
Remember that image, legal and human impact cannot be transferred onto third parties as these
always affect the Group.
Exploiting the risk: developing the business of the company whose professional know-how enables it to
offer products and services that customers prefer to buy rather buy than provide themselves or entrust
to a competitor with a view to controlling risk. This involves taking entrepreneurial risk, as well as
exploiting the opportunity linked to the risk.
Strategic risks: strategic risks are risks related to doing business. As such, they cannot be lowered or
transferred in the same way as operational risks.
They are managed by innovating, adapting business models, lobbying, gathering business intelligence,
developing competencies, and so on.
An Entity may choose to apply other management strategies, such as increasing the risk (e.g. in the
event of excessive prudence in the past, a changed context or technological advances) or adapting its
business model.
Based on the chosen management strategy, an action plan will be drawn up and implemented so as to
reach the target risk level defined by the Entity.
The analysis of causes and consequences will be used to select the most appropriate measures :
CAUSES CONSEQUENCES
Preventive measures Protective measures Protective measures
Preventive measures
Event
Preventive measures
For each cause analysed, you must ask how can you guard against that cause (preventive action). For
each consequence, you must ask how can you reduce the impact should the risk occur (protective
action).
Example of a competitive risk: “Risk of losing high-value gas customers (source of the highest
margins) to competitors”.
Consequences:
- Loss of customers, and thus of sales volumes and margin
- Hard to pass on fixed costs to remaining customers because a price hike would encourage more
of them to switch to competitors
Sharp decrease in EBITDA
To be relevant, an action plan must take into account of the cost/benefit ratio : Management may accept
a risk if the cost of its mitigation is considered too high for the risk reduction.
Finally, when uncertainty reveals a positive aspect, it is important to take this into account and adapt the
control and target level accordingly. Action plans and mitigation measures can also generate
opportunities in addition to the primary goal of improving Risk Management. Where applicable, the risk
description shall include a description of the related element of opportunity.
In addition, it is recommended to set up a dedicated system with target to assess the real efficiency of
the mitigation plan in view of the evolution of the indicators used to assess exposure to the risk.
It is recommended to use existing operational indicators: customer satisfaction rate, outage rate, opinion
polls, financial indicators, and so on.
Internal Audit, Internal Control and Insurance Divisions could be usefully consulted to build an opinion
on the mitigation plan’s quality and effectiveness.
The quality of the mitigation plan illustrates the extent to which the risk management strategy
enables the target risk level to be reached.
The mitigation plan’s quality of each risk is assessed on a four grade scale :
To (re) build
Low
Improvable
High
Strategy Strategy
Level Description
decided Implemented
Improvable Yes Partially A mitigation plan is in place but is not sufficient with
regard to the target risk or is not yet fully
implemented.
3.4.1. Objectives
Risk reviews for ongoing activities and projects are organised under the supervision of the CRO and
aim to allow the Entity Head to:
approve the overall risk exposure level (in the short, medium and long terms) that the Entity
accepts in view of its objectives, the Group's risk appetite policies and the Entity environment
evolution;
identify the major risks that need to be monitored as a matter of priority, set up mitigation plans
and appoint risk owners;
assess the effectiveness of existing mitigation plans and decide on their adjustments;
inform line management about major risks.
The risk matrix provides an overview of all the risks. Each risk is indicated on the standard likelihood
/impact chart along with information on quality and effectiveness of mitigation plan.
The coordinates of the point representing the risk are likelihood on the x-axis and impact on the y-axis.
The risk title should be situated close to the point. The background colours on the chart are serve as a
guide only.
The Entity's risk review builds the overall vision of the senior management level and allows it
to decide on the overall actions to undertake. It is reported on as it stands.
The reporting respects the principle of transparency of the Group's Enterprise Risk Management Policy:
"the managers report on the risks in their purview with sincerity". Reporting of major risks is mandatory
and, where applicable, other significant risks deemed by the Entity to require inclusion so as to comply
with these principles.
Beyond those criteria, management may take into account a number of other factors such as the need
of :
internal mobilisation ;
stakeholder communication.
Many permutations for grouping are possible. Risk Officers must use their own professional judgement
for risk basking.
It is important to point out the main Entity risks in the basket and their assessment to ensure that no
significant information on risks is lost. This information must be retained for the reporting.
The diagram below shows different options for gathering risk baskets for the summary.
CRO/RO should ensure that risks aggregated are homogeneous in frequency and severity so that the
equivalent risk will be representative of the elementary risks, regardless the method used.
The risk review N-1 is an input for the strategic thinking (ELS) of the BU and allow to identify
whether strategic decisions should be taken considering the risk exposure : to reduce some risks
or, on the contrary, to take more risks.
The three major risks impacting the BU business model (Top 3) are defined once following
queries are addressed :
– resilience of strategic orientations to stressed risk scenarios that may have the most
significant adverse impact on the BU's profitability,
– impact of proposed strategic orientations (projects, new businesses) on the BU’s risk profile
(new potential risks, modification of known risks, etc.),
– Emerging risks,
– the ability of the BU to mitigate the main weaknesses and threats that may prevent the BU
from capturing the full value of key promising business opportunities.
The BU’s TOP 3 risks is part of ENGIE Performance Map analyzed during ELS
sessions. Risk mitigation plans of these risks are followed up within Quarterly Business
Review performance map of the BU.
The full risk review of the BU, including, in addition to strategic risks, financial and operational
risks is achieved taking into account conclusions of the strategic approach (context evolution, new
orientations, etc.) – on draft version basis in the first instance.
The draft risk review is an input for MTP works (2018-2020) : provisions or prudence regarding
the targets in particular, are defined regarding impacts of assessed risks and associated
mitigation plan costs are integrate in the budget.
The final BU risk review is finalised simultaneously with the final MTP 2018-2020 :
quantification of the impacts is in reference to MTP 2018-2020 and 3 following years forecast.
An opinion by the BU CRO features in the conclusions on the MTP update and in the BU risk review.
Specifically, it covers the coherence of the mitigation plans with the risk appetite, the BU's capacity to
implement them and, finally, the risk acceptance or non-acceptance if it cannot be controlled by the
Entity.
The CRO of the Entity in charge of the project, is involved, alongside others stakeholders, in all project
development’s steps. He oversees, in particular, the consideration of the three to five major risks and
associated mitigation measures and opportunities.
The CRO oversees and signs the 'risks' section of the commitment file.
This assessment relies on the STR5 Internal Control Reference framework from the INCOME program
(see Appendix 6).
The quality and efficiency of the ERM function are also assessed through indicators:
This section explains how the Enterprise Risk Management process is rolled out within the organisation,
and with which interactions. It is cascaded as required within the BUs.
that Enterprise Risk Management is implemented in accordance with the “ENGIE ERM Guide”,
within their own Entity and within their subsidiaries;
that the specific guidance issued by the Risk Management Division, following Executive
Committee decisions, had been taken into account;
that risk reporting accurately reflects the major risks faced by the Entity.
On that basis, the Risk Management Division organises an exchange of views and takes to provide input
and boost the relevance of the risk exposure assessment and the associated mitigation plans.
Following this, each Entity finalises its risk review (validated by its CODIR) and submits it to the RMD :
the quantification of the impacts is made in reference to MTP 2018-2020 completed with the 3 years
forecast.
The assessment of TOP 3 of BU’s risks is detailed in the final risk review (impacts split by nature and
year).
The CRO/RO assesses whether the risk-taking associated with strategic options, operational activities
and development projects remains at a reasonable, acceptable and tolerable level with regard to Group
policies, the business environment, common market best practices and general rules of the sector, in
compliance with local rules and regulations.
He complies with the Group's Code of Ethics and the professional code of ethics set out by FERMA
(Federation of European Risk Management Associations) - (available on the ERM SharePoint6).
He performs his duties with independence, responsibility and loyalty to the Group's interests by taking
carefully into account risk evaluations or assessments, by having them challenged by several other
interlocutors and by comparing them to external benchmarks. He then shares this knowledge with the
risk owners. In doing so, he also contributes to increase the awareness of Directors and other risk
owners, of different legal and reputation issues to which they, or the Group, may be exposed.
Finally, he defends his point of view if, after discussion with the risk owners, he believes that certain
risks have been partially described, underestimated or overestimated, and he points this out in his report
to the Management Committees.
The CRO/RO assumes a duty to alert when faced with unethical situations and may seek advice and
guidance from the Entity's Ethics and Compliance Officer. Performance improvement and the legitimate
desire to develop business can never justify inappropriate behaviour contrary to the ethical principles
and values of the Group. Such behaviour may create an ethical, legal or reputation risk that is contrary
to the commitments of the Group and its General Management.
Due to the nature of their mission, CROs/ROs are bound by a strict duty of confidentiality.
6
https://engie.sharepoint.com/ERM/Governance/4-Code of Ethics
The general Enterprise Risk Management Policy can only achieve its objectives through a general
breakdown of its principles into specific risk policies for all of the Group's activities and functions. Every
major risk must eventually be covered by a specific policy.
To comply with the requirements of the general policy and the legal decree aimed at ‘’monitoring the
effectiveness of the Risk Management system’’, every specific risk policy of ENGIE must be made up
of the following elements:
- precise framing of the area covered;
- setting the accepted exposure limits, in line with the overall level of risk appetite or tolerance for
the Group, and determining the intermediary steps, if necessary;
- explaining the governance of the risk: the risk’s owner(s), management body, risk committee
where appropriate;
- description of the treatment procedures and supervision criteria for the risk;
- identifying relevant indicators for monitoring the risk, ideally with a link to the Group Risks
Catalogue.
Existing business policies or procedures may often contain some elements of risk policy. It is important
to ensure their completeness.
These policies apply to all of the Group's Entities, in accordance with their governance rules.
The process defining the scope of the INCOME programme includes a detailed examination of the major
risks from the Group review, which provides focus points for internal control evaluation activities.
The Order of December 8, 2008, which incorporates the 8th European Company Law Directive into
French law, also requires the Board of Directors, through its Committees, ‘’to monitor the effectiveness
of the Risk Management system and internal control’’. These obligations apply to the management that
is responsible for Risk Management.
The AMF (Autorité des Marchés Financiers, the French financial market regulatory) had headed a
consultative committee that confirmed in 2010 obligations of companies( 8th Directive) (see the
document on the ERM SharePoint7). The provisions of the ERM Guide enable to satisfy these
expectations as regards Risk Management.
The Group is therefore required to provide its Board of Directors with information enabling it to comply
with the regulation. This ERM Guide describes the practices applicable to Entities within the Group (in
compliance with their respective governance rules) to enhance the effectiveness of their Risk
Management system and ensure relevant reporting thereof.
In addition, specific laws and regulations apply to some business sectors in which ENGIE operates and
set framework for Risk Management in these activities. Each activity should keep track of changes in its
regulatory environment. Group Entities must comply with national legislation.
7
https://engie.sharepoint.com/ERM/Governance/3-Risk policies
E-Risk guarantees the information traceability and allows the sharing of restricted information. Besides,
the tool functionalities facilitate the risk revue preparation (see appendix 1 : Risk review deliverable).
The tool is available on any media . Its access is secured and synchronized with your
Windows account.
Dedicated training sessions are set up for the mastering of the tool.
– Dash board with the major risks (Top 10) based on pessimistic scenario, among which the
BU select its Top 3 (E-Risk extract)
– Extreme scenarios associated to major risks, at least for the Top 3. Extreme scenarios are
recommended for others risks when relevant
– Emerging risks
– Decisions in conclusion of the risk review of the Entity (validation of the risk exposure
assessment, the target exposure and risk mitigation plans).
Risk sheets are to be included for all major risks, as part of the deliverable. They are automatically
extracted from E-Risk.
Restricted circulation
Risk sheets may contain sensitive and confidential information. They need to be adequately protected
(e.g. marking, distribution, consultation, etc.).
Residual scenario valuation : state the key risk assessment factors as a summary table.
Financial impact : computed in cumulative over 6 years period (MTP (3 years) + 3 years
forecast) , in local currency or in millions of euros. A precise assessment is not always possible,
nonetheless, a single figure is requested for reporting purposes. The range of uncertainty may
be disclosed in the detailed assumptions.
Non-financial impact: define the type of impact amongst : reputation or image / human
resources / social or societal /environment / legal / health or safety. Asses the level of impact
on the ERM 1-4 scale.
Trend : estimated increased, decreased or stable on the basis of the risk evolution and occurred
events during the period.
Risk description
Entity : Entity denomination as identified within the organisation and integrated in E-Risk.
description including, if necessary, notes on risk's perimeter.
Risk category : specify here the category related to the risk from risk catalogue of ENGIE.
Choose the best fit category, even if the risk also marginally affects another category.
Country : with reference to the Entity location
Risk owner : state the name or function of the risk owner who has been designated during the
risk review. The risk owner may be the operational manager or the manager of a Functional
line.
Description : description including, if necessary, notes on risk's perimeter. The description shall
make the business challenge caused by the risk and its context understandable. It is specific,
not generic and short (summarized).
Analysis of the main causes of the risk : show the main causes. This is not an exhaustive
list of all possible causes, but of the main ones. Each cause must be described briefly. Indirect
causes or 'risk factors' that increase the risk impact or likelihood are just as relevant as direct
causes.
Find the primary causes wherever possible.
Analysis of the main consequences of the risk : as for causes, show the main
consequences. Indicate when consequences of the risk can have cascading effects (domino
effect or contamination). Specifically, show if the consequences can overflow beyond the Entity
and impact other entities. Where applicable, show the other entities affected.
In the same way, show any specific dependency that may exist with another Entity, in case a
random event from that Entity could affect your Entity.
Mitigation plan
Describe the main actions implemented as a declination of the Risk Management strategy to achieve
the target risk level.
- Is there an important risk that is not indicated in the risk map for your business?
- Should the definition of risks for your business (description and segmentation) be substantially
modified or expanded?
- Does any risk appear very under or over-estimated (impact or likelihood)?
- How can you respond to generate performance, maintain your reputation or guarantee your
continuity (risk reduction to anticipate future reaction)?
- Could certain risks in your Entity reach an unsustainable level, as part of stressed scenario for
example?
- In this case, do their impact seem sufficiently reduced or contained to you?
- Another way of reducing risk is to diversify it. In your view, are value and reputation-creating
factors sufficiently diversified?
- In your view, what level of financial, legal or reputation hazard is reasonable for your business
and for the Group?
Benefits of ERM
ERM aims to boost confidence in the Group, its products and the quality of its services, as well as to
strengthen the decision-making process, by offering a succinct enterprise-wide risk overview of and
knowledge of entities and the Group’s exposure.
- To what extent do you think this goal has been achieved?
- Do you expect other benefits from ERM?
- What issues should be priorities for next year?
Extreme scenario
- In your industry or functional line, what type of risk is a reference because of its financial or non-
financial impact?
- What would be an adapted scenario for your Entity?
- What would be the impact and likelihood?
- Do current mitigation plans take into account such type of risk, to lower them at an acceptable
impact/likelihood level ?
Opportunities
- Do identified risks have linked opportunities?
o Uncertainties that could have positive or negative effects
o Competitive advantage in case of better risk control than competitors
o Risk Management skills development could lead to service delivery.
Example:
Case of an event that is susceptible to arise every year, with an impact of €100 million
and a likelihood of 10%.
Impact
EL can only be used to assess the average loss of a group of risks, and not for few isolated risks.
Aggregation rules
When the risks of a basket are independent, the basket EL for the basket is to be equal to the sum of
all EL basket risks.
Warning: the risks might not be independent. In this case, combination rules are different
It is advisable to ensure that risks aggregated are homogeneous in frequency and severity so that
the equivalent risk will be representative of the elementary risks, regardless the method used.
8
https://engie.sharepoint.com/ERM/Methods & toolkit/ERM guidelines/ Calculation tool
RISK STR5R001 : Risks are poorly identified, poorly evaluated or mitigation plans are
not defined or are not efficient enough
Control STR5C100-C1
Risk review by a trained Risk Officer, according to the ERM methodology, under the
supervision of the Chief Risk Officer
Risk STR5R002: Risks are not taken in accordance with the delegation of authorities
Control STR5C200-C1
Approval in the General Management Committee of the existing and target risk exposure for
current activities and new projects
Risk STR5R003: The mitigation plans are not implemented, not monitored or not
efficient
Control STR5C300-C1
Monitoring of mitigation plans for major risks
Transverse risk
Control STR5C0090-C1
Information classification and protection