ERM Guide 2017

ERM GUIDE 2017
Enterprise Risk Management

Methodology
« To better manage our risks so as to better perform and to lead the Group
transformation to a success »
Management Risk Division – March 2017
Direction du Management des Risques – Janvier 2016

ERM GUIDE – ENGIE 2017 – all rights reserved 1
Contents
1. AIMS AND OBJECTIVES ........................................................................................................................ 7
1.1 ERM: enhancing performance and making the Group's transformation a success ...................... 7
1.2 Goals of Risk Management............................................................................................................ 7
2. ROLES AND RESPONSIBILITIES ............................................................................................................. 9
2.1 Management ................................................................................................................................. 9
2.1.1 The Board of Directors and the Audit Committee ................................................................ 9
2.1.2 The Executive Committee ..................................................................................................... 9
2.1.3 The Functional Divisions and Operational Divisions of NewCorp ......................................... 9
2.1.4 Entity Heads .......................................................................................................................... 9
2.1.5 Non-majority-owned subsidiaries ....................................................................................... 10
2.2. ERM Functional Line.................................................................................................................... 10
2.2.1. The ERM Functional Line ..................................................................................................... 10
2.2.2. Entity Chief Risk Officer (CRO) ............................................................................................. 10
2.2.3. Entity Risk Officer (RO) ........................................................................................................ 11
2.2.4. The Risk Management Division ........................................................................................... 11
2.3. Confidentiality rules – Compliance ............................................................................................. 12
3. OPERATIONAL PROCESSES ............................................................................................................... 14
3.1. Definition of risk ......................................................................................................................... 14
3.2. Unit risk assessment ................................................................................................................... 14
3.2.1. Determining the context ..................................................................................................... 14
3.2.2. Identification ....................................................................................................................... 15
3.2.3. Analysing the causes and consequences............................................................................. 15
3.2.4. Assessment using scenarios ................................................................................................ 16
3.3 Risk appetite and management risk strategy .............................................................................. 19
3.3.1. Risk appetite and target risk................................................................................................ 20
3.3.2. Risk management strategy and action plan ........................................................................ 20
3.3.3. Quality of mitigation plans .................................................................................................. 23

3.4 Annual risk review – Assessment of overall exposure to risks .................................................... 25
3.4.1. Objectives ............................................................................................................................ 25
3.4.2. Progress, risk matrix and overall view................................................................................. 25
3.4.3. Classification criteria and selecting major risks .................................................................. 26
3.4.4. Risk baskets and aggregation methods ............................................................................... 26
3.5 Coordination with strategic and financial processes .................................................................. 28
3.5.1 ERM and strategic processes coordination .......................................................................... 28
3.5.2 ERM and MTP processes coordination................................................................................. 28
3.6 Project risk assessment ............................................................................................................... 29
3.7 Risk Management maturity and effectiveness ............................................................................ 29
3.8 Roll-out process, coordination and work schedule ..................................................................... 29
3.8.1. Roll-out within organisations .............................................................................................. 30
3.8.2. Intermediate and final reviews ........................................................................................... 30
3.8.3. Work schedule..................................................................................................................... 31
4 REFERENCE FRAMEWORK ................................................................................................................ 33
4.1 Group governance....................................................................................................................... 33
4.1.1 The ethics of the Chief Risk Officer and the Risk Officer ..................................................... 33
4.1.2 Group Risk Management Policy .......................................................................................... 33
4.1.3 Specific risk policies ............................................................................................................. 34
4.2 Standards and regulatory framework ......................................................................................... 35
4.2.1 Legal and regulatory framework ......................................................................................... 35
4.2.2 Compatibility with standards .............................................................................................. 35
5. RISK MONITORING AND ASSESSMENT TOOLS .................................................................................. 37
5.1 Assessment Risk support ............................................................................................................. 37
5.2 Documentary base : ERM SharePoint ......................................................................................... 37
5.3 Dedicated corporate social network for Risk Management ....................................................... 37

ERM Guide – Appendices ...................................................................................................................... 38
Appendix 1 : Risk review deliverable..................................................................................................... 39
1.1 Slide show with synthetic messages ........................................................................................... 40
1.2 Appendixes : risk sheets .............................................................................................................. 40
Appendix 2 : Risk sheet content – ......................................................................................................... 41
E-Risk overview ..................................................................................................................................... 41
Appendix 3 : ERM Interview Guide ....................................................................................................... 45
Appendix 4 : Recurring risk assessment ................................................................................................ 48
Appendix 5 : Risk basket assessment (aggregation) ............................................................................. 50
Appendix 6 : ERM maturity assessment ................................................................................................ 53

CHAPTER 1
Aims and objectives

1. AIMS AND OBJECTIVES
1.1 ERM: enhancing performance and making the Group's transformation a
success
Managing risks increases the likelihood of achieving strategic, financial and operational objectives
against the backdrop of a constantly-changing energy and energy services market. Enterprise Risk
Management (ERM) enhances our knowledge of risks, thus enabling us to define our risk appetite and
take risks consciously, after consideration. As such, decisions are informed evaluated and we are more
able to plan ahead, especially in terms of our capacity to manage risks.
1.2 Goals of Risk Management

Enterprise Risk Management is a management tool for the Enterprise that enables the following goals
to be achieved:
 create and maintain the value, assets and reputation of the company, as well as internal
motivation;
 encourage a level of risk-taking that is reasonable in social, human and legal terms, acceptable
to the public and economically sustainable;
 comply with legal and regulatory requirements and the ENGIE Group's rules and values.

Chapter 2
Roles and responsibilities

2. ROLES AND RESPONSIBILITIES
2.1 Management
The effectiveness of risk management depends on various stakeholders at each level of the company:
2.1.1 The Board of Directors and the Audit Committee

Supported by its Standing Committees, the Board of Directors must « ensure that the effectiveness of
the risk management system is monitored ». It regularly reviews the Group's risk appetite and exposure
to risks.
2.1.2 The Executive Committee

The Executive Committee (EXCOM) determines the Group's risk appetite within the framework of the
Group strategy approved by the Board of Directors, and approves risk policies with the support from the
Metiers, the Functional Divisions and the Operational Divisions.
It examines and approves the Company's major risk review regularly enough to keep up with the
changing situation.
2.1.3 The Functional Divisions and Operational Divisions of NewCorp

As part of their role supporting Group and Entity Management, the NewCorp Divisions set out the
specific risk management policies for the areas under their responsibility, issue risk mandates in certain
cases, and monitor the implementation of these policies and mandates. In doing so, they manage
specific cross-functional risks at Group level.
2.1.4 Entity Heads

Heads of Entities (BUs, legal or managerial Entities within BUs, Operational Divisions such as NDD,
RTD, Purchasing or GBS, and Functional Divisions) are responsible for managing risks in their area of
activity or expertise. They are the risk owners for their area of responsibility and may delegate risk
ownership and risk management to other managers. "Every manager is a Risk Manager."
Entities Heads define and implement specific risk policies in line with the framework set by the Group
and within the limits of their power to delegate. They determine the global level of the target exposure
for a given time frame, plus, if necessary, a target exposure limit and/or steps for improvement.
Entities Heads oversee their Entity's exposure to risks. To that end, they implement the risk management
process, meaning that they are responsible for identifying, assessing and classifying their risks and for
elaborating and implementing associated treatment action plans, then monitoring their effective
implementation and efficiency. Management reports include a dashboard featuring a set of indicators to
help them monitor their progress on exposure to the main risks.
Risk-taking that is reasonable in social, human and legal terms, acceptable to the public and
economically sustainable is a factor used to assess individual performance as part of the Management
Way (Business Leadership).

2.1.5 Non-majority-owned subsidiaries
The Group does not control some of its Entities, such as Entities in which the Group does not hold a
majority stake. These Entities are subject to their own governance rules (e.g. shareholders’ agreement,
publicly-traded company), and as such, risk management control must comply with the Entity's
governance.
The Entity's Board of Directors must "determine the acceptable risk profile for the Entity and ensure that
the Entity's organisation, procedures and culture enable it to manage risks in a satisfactory manner.
Management is responsible for designing and implementing the risk management systems and ensuring
that they are both comprehensive and effective. Directors must pay special attention to the risks that
pose the most direct threat to the Entity's activity, as determined by a risk map prepared by the Entity.
Finally, they must ensure that communications with shareholders on these matters are complete and
accurate." (Extract from the ENGIE Director's Guide).
2.2. ERM Functional Line
2.2.1. The ERM Functional Line

The ERM Functional Line is made up of all the Chief Risk Officers (CROs) and Risk Officers (ROs)
appointed by Entities Heads at all Group levels. It is led by the Head of Risk Management. It is
responsible for Enterprise Risk Management within the Group.
2.2.2. Entity Chief Risk Officer (CRO)

The Head of the Audit and Risks (DAR) acts as the ENGIE Group's Chief Risk Officer.
Each Entity (BUs, legal or managerial Entities within BUs, Operational Functions such as NDD, RTD,
Strategic Sourcing and Supply Division, GBS….and Functional Divisions) appoints a CRO who reports
directly to the Entity Head (or CEO) and sits on the Entity's Management Committee.
Candidates for the role of BU Chief Risk Officer include the Chief Financial Officer, the Director of
Strategy and the General Secretary. The Chief Risk Officer sits on the BU's Commitments Committee.
The CRO determines the BU's overall exposure to risks on behalf of the CEO and assists the CEO with
managing it :
 in ongoing activities, in terms of the risk appetite/risk mandate defined by the Group;
 in projects under development, in terms of the Entity's capacity to manage risks.
As they go about their work, CROs must be independent, business-minded and vigilant with a view to
testing the resilience of the business model, better anticipating emerging risks and preventing the
occurrence of operational risks (or at least limiting their impact) at an acceptable cost, given what is at
stake.
He has a duty to «report risks».
He complies with the Group's Code of Ethics and the professional code of ethics set out by FERMA
(Federation of European Risk Management Associations) (available on the ERM SharePoint1).
He oversees competency development and progress on maturity in Risk Management within his Entity:
i) Managers who make decisions on taking risks; ii) Risk Officers who act as Business Partners, with
the primary role of advising and alerting.
1
https://engie.sharepoint.com/ERM/Governance/Forms/4-Code of Ethics

In their functional role, the Metiers, Functional Divisions and Operational Functions prepare the Group's
objectives, strategy or decisions. The CRO of each of these Entities works with the ERM Functional Line
to:
 define the risk appetite/ the risk mandates;
 take a second look;
 provide input for the risk analysis;
 contribute to the Group's major risks review.
2.2.3. Entity Risk Officer (RO)

Risks are managed through the expertise of a professional Risk Officer.
The Risk Officer reports to the CRO and is skilled in identifying, analysing and assessing risks and
determining measures for treating them. He acts to inform operational and strategic decision-making.
He provides an objective overview of risks and, in his role as Business Partners, advise managers with
a view to reducing risks or taking more risks to optimise profitability. He performs this task for both
ongoing activities and projects, always complying fully with laws, regulations and Group policies.
The mission of Entity Risk Officer is given to an employee who has received specific training in both
recurring activities and projects. The expected level of expertise is determined by the challenges posed
by the Entity's activities or the complexity of its projects. Risk Officers actively participate in the ERM
CoP to keep their professional skills up to date. They comply with the Group's Code of Ethics and the
professional code of ethics set out by FERMA (Federation of European Risk Management Associations)
(see above).
Entity Risk Officers implement Enterprise Risk Management processes.
Tasks are cascaded in the Group Entities and are tailored to their size and their activities.
2.2.4. The Risk Management Division

The Risk Management Division, which is part of the DAR, is made up of the Corporate Risk Officers. Its
task is to implement the effective risk management system required by the Group. More specifically, it
heads up the ERM function in such a way as to ensure that the company risk exposure is properly taken
into account in both its existing activities and its projects, and that competencies are developed within
the Group to the appropriate maturity level with regard to risk-taking.
In its functional role, it develops, on both professional practices and the experience within the Group
basis :
 The definition of the risk appetite for the Group's activities, in partnership with the Metiers,
the Functional Divisions and the Operational Functions;
 The watch on emerging risks with a view to pinpointing new risk scenarios as quickly as
possible and preparing for them in an optimal manner;
 The support and advise to the BUs to help them achieve a greater competency level in
terms of risk management and enable them to fully perform all the tasks assigned to them;
 The risk culture among the Group's Senior Executives and Managers and Risk Officers'
expertise level;
 The support from ERM and PRM (Project Risk Management): methods, tools, training and
communication (available on ERM SharePoint2).
2
https://engie.sharepoint.com/ERM/Methods & toolkit

In its operational role, the Risk Management Division:
 draws up the Group's general risks review;
 draws up reviews of priority and major risks, under the supervision of their coordinators;
 prepares public communications on the Group's risks, most notably the Reference Document
and the Integrated Report.
 In its supporting role to the BUs, the Risk Management Division contributes to the BUs' risk
exposure assessments and boosts their relevance.
The Risk Management Division maintains relations with the other Functional Divisions and Operational
Functions and with the Metiers with a view to promote smoother integration of Risk management into
the overall management of ENGIE's activities.
2.3. Confidentiality rules – Compliance

Risk identification and characterization, associated action treatment and optimisation choices are all
highly strategic for the company.
This guide aims to highlight any weak points that may be used against the company, as well as any
strategic actions that may offer it a competitive advantage.
ENGIE Risk Management information is sensitive. As such, it is governed by management policies and
classified information in compliance with Protection of intangible asset Policy Group (ENGIE 2015 –
005) :
 access to risk content information is restricted;

 information on Risk Management methods and tools is the intellectual property of the Group
and is for internal access only.
Communication of this information – particularly in financial communications – is managed in compliance

with legal requirements. The implementation of ERM fully respects Group entities' governance and legal
obligations.
This information will still be considered adequately protected if it is distributed specifically to managers
so that they may implement the defined Risk Management actions.
Approved risk reviews are for restricted distribution only.

The Group's rules on protection of information apply.
The Risk Review distribution list must be defined for each level of the Group, Business Units, and so
on.

Chapter 3
Operational processes

3. OPERATIONAL PROCESSES
This section describes the Risk Management process, the various tasks that must be performed and
the methods to be applied as per the standard ISO 31000.
3.1. Definition of risk

The Group's Enterprise Risk Management Policy describes a risk as:
"Any possible event likely to have a positive or negative impact on the Company’s continuity,
its reputation or the achievement of its strategic, financial or operational objectives."
3.2. Unit risk assessment
3.2.1. Determining the context

The first step in the Risk Management process is understanding the Entity's business, the environment
in which it operates and the internal/external factors or events that may jeopardise it.
To that end, CROs/ROs gather a range of information:

- within the Group (e.g. examining past events, analysing strategic, financial and operational
objectives, identifying stakeholders, etc.);
- outside the Group (e.g. analysing the development of the sector of activity, benchmarking on
similar companies).

3.2.2. Identification
The identification process aims to pinpoint which of the many risks pose the greatest threat to the
company.
To do this, CROs/ROs use:
The risk catalogue and the analysis guide for each Risk Family
The Group risk catalogue is the first port of call for identifying risks: it provides an overview of most of
the risks encountered by the Group in the course of its activities, though it is not exhaustive (catalogue
available on the ERM SharePoint3 and integrated in E- Risk, the risk management tool).
CROs/ROs can consult the practical information sheets that have been drafted for certain risk types
(e.g. Health and Safety, Ethics and Compliance, etc.) as a tool to assist them in their work (Health and
Safety, Ethic and Compliance, etc. available on the ERM SharePoint 4).
Interviews and working groups/brainstorming sessions

It is advisable for CROs/ROs to interview the members of their Entity's Management Committee (either
individually or in a committee meeting called for the purpose) and other operational managers at least
once a year in order to gain a clear overview of the risks facing the entity. (see Appendix 3 : guidelines
for interviews with senior executives and other staff involved in risk assessment).
In addition, CROs/ROs can bring together a multidisciplinary team at various levels of their Entity with a
view to brainstorming on emerging or fast-changing risks, or, in the case of new activities for the Entity,
opening up a free and frank discussion of possible risks.
3.2.3. Analysing the causes and consequences

Every risk has one or more causes and results in one or more consequences.
Causes may be direct (i.e. directly causing the risk to occur) or indirect (i.e. encouraging the risk to
occur, ahead of the action-reaction chain, and/or exacerbating the risk's consequences). They are
typically analysed using causal trees. It is worth looking into the primary causes of risks to increase Risk
Management effectiveness.
The consequence of a risk can also be the cause of the risk it leads to (for example, in the case of
dependent risks). Whether an event is classified as a cause or a consequence depends on one’s
viewpoint.
TREE-STRUCTURE DIAGRAM OF CAUSES AND CONSEQUENCES
CAUSES CONSEQUENCES
Loss of
Management Financial losses on opportunities
Competencies the result
Organisation Asset value losses
Event
Machines Damage to image….
Raw Environment…
materials Human losses
3
https://engie.sharepoint.com/ERM/Methods & toolkit/risk catalog
4
https://engie.sharepoint.com/ERM/Methods & toolkit/ERM guidelines/ specific guides per risk family

3.2.4. Assessment using scenarios
After identifying the risks, their causes and their consequences and building corresponding scenarios,
CROs/ROs must assess them according to two criteria: impact and probability using scenario, that
means set of assumptions on risk occurrence and its effects. Risks evaluation allows to prioritize them.
Although assessments must be representative, they do not necessarily have to be very specific.
Nevertheless, the scales involved must be sufficient for determining whether the risk is potentially
catastrophic or, on the contrary, minimal.
Two scenarios should be used to characterise a risk :

- The reasonably pessimistic scenario illustrates a deviation from the objectives set by the
MTP and the modelling extending it. It takes into account mitigation plans already in place.
- The extreme scenario is devised on the basis of reference accidents or events that are
considered rare but not impossible. The extreme scenario challenges the resilience of the
Group's strategic orientations and investment decisions and enables to assess the
preparedness for handling rare risks, in terms of both prevention and mitigation.
3.2.4.1. Impact assessment
The impact of a risk measures the consequences of the risk's occurrence. There are two dimensions
to this (financial impact and non-financial impact). It is advisable to assess both the financial and non-
financial impact for every risk.
Financial impact
The financial impact is the total cost to the Group, over a period of 6 years (excluding market risks
assessed avec a period of 3 years).
The financial impact is assessed in terms of deviation from the MTP's base case scenario (3
years) and forecasted modelling over of 3 following years, in compliance with the financial
process (see below subsection 3.5 coordination with strategic and financial processes).
All of the different types of impact are examined, and their type specified (e.g. EBITDA, CAPEX, below
EBITDA, assets value, etc.).
Financial quantification of the risk's impact is an essential component for assessment. Financial
managers should be involved in the process so that they can confirm the assessment (Business Control,
Insurance Department, and so on).
The financial impact is assessed on a scale of 1 to 4, with 1 being the least and 4 the most catastrophic
impact. It is typically compared to the entity's EBITDA cumulated on 6 years :
Value range
Score Impact level (% of reference quantity (generally EBITDA) cumulated
on the MTP horizon)
1 Low < 1%
2 Moderate Between 1% and 5%
4 Severe Between 5% and 15%
5 Catastrophic > = 15%

It is important to outline the main underlying assumptions, specifically the assumptions incorporated into
the MTP baseline and the modelling of following years, on which the risk is based.
Changes in a risk from one year to another should be expressed in reference to the residual risk.
However, all comments on the change need to take account of the total risk (share integrated into the
MTP out of 'prudence' and residual share).
Non-financial impact
The non-financial impact measures the consequences for the Group (and where applicable, the
stakeholders) of non-financial aspects such as:
 the human impact: health and safety;
 the Group's image or reputation;
 the environment;
 the legal impact;
 the social or societal impact.
The assessment will be performed with regard to the criterion with the highest impact and will take into
account the long-term or limited nature of non-financial impact, especially for the Group's image and
reputation.
The non-financial impact is assessed on a scale of 1 to 4, with 1 being the least and 4 the most
catastrophic impact.
Score Impact level Description (at least one of the criteria below may result)

No or no serious impact on human health and the environment.
Situation can be resolved in the short term. Local or low-level
1 Low
media coverage. Some displeasure among customers,
employees...
Long-lasting or irreversible impact on human health and on the
environment. Real threat to the stability of the structure.
2 Moderate
Regional or national media coverage. Possibility of legal action.
Economic harm may result.
High impact on human health and life (one or more deaths) or on
the environment. Continuity of the structure jeopardised. Broad
3 Severe
media coverage. Possibility of legal action against company
officers.
High impact on human health and life (numerous deaths) or on
the environment. Continuity of the structure severely
4 Catastrophic compromised.
Major media coverage and sustained adverse press campaign.
Legal action against company officers.
3.2.4.2. Likelihood assessment
Occurrence likelihood measures the probability of the risk occurring within a particular time frame.
When there are no statistics, assessing likelihood may be guided by various factors, such as past
events, common sense and experience. It is advisable to compare several different viewpoints and sets
of data.
The probability of occurrence is assessed on a scale of 1 to 4, with 1 being the lowest probability level
and 4 the highest:
likelihood
Score Value range Comments
level
There is a very low, but non-negligible possibility that

1 Unlikely < 5%
the risk may occur.
2 Rather unlikely 5% - 20% There is a possibility that the risk may occur.
There is a clear possibility the risk may occur which is

3 Rather likely 20% - 50%
lower than the risk not occurring.
It is more likely that the risk will occur higher than the
4 Likely >= 50%
risk not occurring.
Recurring risk
Recurring risk events are risks that are susceptible to arise every year, with the same likelihood and
impact. They are specific events that will certainly occur, without knowing how many times they will
occur over a 6 years horizon.

 Examples of recurrent risks: B2C credit risk, risk that certain assets will be unavailable.
Once the annual likelihood and impact of an event have been determined, the Excel simulator (available
on the ERM SharePoint5) works out the probabilities and impacts over the desired period
(see appendix 4).
Coherence of the probability/impact pair

Impact and probability assessments are connected and refer to the same risk scenario and, as
such, the same underlying assumptions.
Example
Description of risk: Failure to achieve the sales development targets for energy services.
MTP reference scenario over 3 years period and forecasted modelling over the 3 following
years: the volume of energy services sales to rise by 5% per year, with a gross margin (EBITDA) of
10% – i.e. a cumulative EBITDA of €120 million over 6 years period.
Risk scenario: Falling energy prices make investments less profitable in the energy sector. The sales
volume remains in line with the MTP for 2018 and 2019 (deals already signed) but falls off towards the
end of the period, returning to 2017 levels. Beyond the drop in turnover, the margin shrinks due to
increased competition. This reasonably pessimistic scenario has a cumulative likelihood of 30% and
cumulative impact of -€80 million cumulated on 6 years.
(Year-by-year breakdown: 2018 and 2019: €0 million; 2020-2023: -€20 million/year.)
Extreme scenario: Rather than a slow decline in margins and service volumes, we may encounter a
disruptive scenario such as sudden involvement of intermediaries like digital companies or
manufacturers.
Equipment manufacturers install sensors then gather our customers' data so as to offer them energy
optimisation services. Market losses are gradual but exponential as the technology evolves. ENGIE is
relegated to being a second-tier service provider that just implements the manufacturer's
recommendations. Loss of margins and sales: €200 million.
3.2.4.3. Time risk horizon
Time risk horizon (or occurrence) corresponds to the period at which the risk is likely to occur. It is
closely to selected scenario.
- Short term : the risk occurs within 3 years,

- Medium term : the risk occurs within 4 to 6 years,
- Long term : the risk occurs beyond 6 years.
3.3 Risk appetite and management risk strategy

The aim of risk treatment is to bring every identified risk to its target level, in line with the risk appetite
determined by the Group and the risk mandates.
5
https://engie.sharepoint.com/ERM/Methods & toolkit/ERM guidelines/Calculation tools

3.3.1. Risk appetite and target risk
The risk appetite is the type and level of risk that the Group is prepared to accept or take in order to
create value as part of its strategy. It is determined by:
 the values at risk – both financial (such as capital employed, EBITDA or net result (Group
share)) and non-financial (such as stakeholder reputations);
 non-financial indicators : availability rate, satisfaction rate, accidental injury rate, and so on;
 the exposure limits or alert thresholds for defined criteria (e.g.: maximum amount of capital
employed per country, volumes not covered in the event of market risk).
These criteria and limits are defined in specific risk policies, which also set out governance for the risk,
its treatments measures, and monitoring indicators.
For each risk identified by the Entities, the Entity Head sets a target risk level denoting the exposure
level or degree of risk-taking that would be acceptable, in accordance to line with laws and the risk
appetite determined by the Group.
The target risk is expressed by a target impact and likelihood level or is defined by financial or non-
financial indicators.
3.3.2. Risk management strategy and action plan

Management appoints a risk owner for every risk : this person is in charge of devising the risk
management strategy and implementing an action plan geared towards reaching the target risk level
determined by the Entity.
The risk management strategy is the overall approach chosen to manage the risk. It might be very
varied. The strategy will be all the more effective if it has been consciously chosen, built and tailored to
match the context of both the Entity and the risk rather than the result of a number of uncoordinated
initiatives. The various options available are summarised in the table below and described in following
subsections.
Management
Management BEFORE THE EVENT
AFTER THE EVENT

removal : reduction : transfer : share : re-assessment : managing the
feared event :
Eliminate the risk -protection -transfer the risk to -share the risk -the risk -crisis
(i.e. eliminate its measures: reduce others (purchase to with other -all its impacts management
causes) or avoid it the risk by acting on qualified suppliers) operators -the risk mitigation plan
its impacts -cover financial plan -business
-prevention impacts : insurance, recovery plan
measures: reduce provisions or
the risk by acting on financial instruments
its occurrence
likelihood
 Removing the risk

Shutting down an activity or facility, ending a relationship with a stakeholder, and so on.
 Avoid taking the risk

Prohibiting, avoiding or not investing in an activity.
 Reducing the risk

– Diversify the risk: dividing it among several different sources to benefit from a pooling.
For instance, diversifying the Group's geographical coverage to reduce country risk.
– Diversification produces powerful effects, but can be to no avail in the event of dependent risks,
especially systemic risk.
– Setting up mitigation measures (e.g. prevention, protection, enhanced internal control (INCOME
program), upstream and downstream mitigation).
For instance, set up segregation of duties to reduce the risk of fraud.
 Transferring the risk

Shift the consequences of the risk onto a third party. Usually, only part of the risk is transferred:
– This is the case with insurance (paying a premium in exchange for financial compensation in
the event of a claim), or in the case of credit with banks.
– This may be the case for contractual agreements with customers or suppliers.
– Liability can be partially transferred thanks to a delegation of powers or a contract, but not the
main liability to the client or the company. In this case, it will be called sharing of liability.
Remember that image, legal and human impact cannot be transferred onto third parties as these
always affect the Group.
 Sharing the risk

Risk can also be shared (with business partners, in particular): investments in oil and gas fields are
realised between joint operators to reduce the risk of unproductive drilling.
 Accepting the risk

Doing nothing is also an option. However, this means that risk can be measured and contained within
acceptable limits and the action plan is both appropriate and effective. The term 'risk retention' is also
used.
Exploiting the risk: developing the business of the company whose professional know-how enables it to
offer products and services that customers prefer to buy rather buy than provide themselves or entrust
to a competitor with a view to controlling risk. This involves taking entrepreneurial risk, as well as
exploiting the opportunity linked to the risk.
Strategic risks: strategic risks are risks related to doing business. As such, they cannot be lowered or
transferred in the same way as operational risks.
They are managed by innovating, adapting business models, lobbying, gathering business intelligence,
developing competencies, and so on.
The risk management strategy is often a combination of different basic strategies.
An Entity may choose to apply other management strategies, such as increasing the risk (e.g. in the
event of excessive prudence in the past, a changed context or technological advances) or adapting its
business model.
Based on the chosen management strategy, an action plan will be drawn up and implemented so as to
reach the target risk level defined by the Entity.
The analysis of causes and consequences will be used to select the most appropriate measures :
CAUSES CONSEQUENCES
Preventive measures Protective measures Protective measures
Preventive measures
Financial losses on Asset value losses

Competencies the result
Management
Organisation Asset value losses
Event
Machines Damage to image……

Raw materials Environment, and so on Human losses
Preventive measures
For each cause analysed, you must ask how can you guard against that cause (preventive action). For
each consequence, you must ask how can you reduce the impact should the risk occur (protective
action).
Example of a competitive risk: “Risk of losing high-value gas customers (source of the highest
margins) to competitors”.

Causes:
- Emergence of new competitors with aggressive pricing policies
- 'High-value' customers targeted by competitors (based on consumption profiles and use)
- Sustained communication campaign by some competitors
- Our fixed costs are high
Consequences:
- Loss of customers, and thus of sales volumes and margin
- Hard to pass on fixed costs to remaining customers because a price hike would encourage more
of them to switch to competitors
 Sharp decrease in EBITDA
Risk management strategy = reduce the risk by taking preventive measures:

- Competitive intelligence
- Reducing our costs to boost our competitiveness
- Increasing our presence among 'high-value' customers and monitoring their satisfaction
- Developing innovative energy-related services (e.g. digital service offers….)
To be relevant, an action plan must take into account of the cost/benefit ratio : Management may accept
a risk if the cost of its mitigation is considered too high for the risk reduction.
Finally, when uncertainty reveals a positive aspect, it is important to take this into account and adapt the
control and target level accordingly. Action plans and mitigation measures can also generate
opportunities in addition to the primary goal of improving Risk Management. Where applicable, the risk
description shall include a description of the related element of opportunity.
3.3.3. Quality of mitigation plans

Mitigation plan must be measurable in objective terms : quantitative indicators or key progress
milestones must therefore be identified when the management plan is designed, and must be reviewed
on a regular basis.
In addition, it is recommended to set up a dedicated system with target to assess the real efficiency of
the mitigation plan in view of the evolution of the indicators used to assess exposure to the risk.
Taking the example of an entity exposed to the risk of industrial accidents :

The entity could assess its exposure to the risk in view of the number evolution of near misses each
quarter (advanced risk-exposure indicator). In this case, the mitigation plan's effectiveness would be
confirmed by a slow but steady decrease in the number of near misses each quarter.
It is recommended to use existing operational indicators: customer satisfaction rate, outage rate, opinion
polls, financial indicators, and so on.
Internal Audit, Internal Control and Insurance Divisions could be usefully consulted to build an opinion
on the mitigation plan’s quality and effectiveness.

To sum up, an efficient mitigation plan presupposes that the following were defined :
 A target risk objective,

 The identification of risk factors and the definition of associated risk management strategy,
 The setting up of pilot action to reach the risk target level,
 The monitoring of mitigation plan achieving.
The quality of the mitigation plan illustrates the extent to which the risk management strategy
enables the target risk level to be reached.
The mitigation plan’s quality of each risk is assessed on a four grade scale :
To (re) build
Low
Improvable
High
Strategy Strategy
Level Description
decided Implemented
This can be the case for a newly identified risk or if

To (re) build No No there is a dramatic change for an identified risk.
Risk management strategy has not be defined or re-
defined.
Exposure or risk nature has changed.

Low Yes No Mitigation plan under implementation.
Improvable Yes Partially A mitigation plan is in place but is not sufficient with
regard to the target risk or is not yet fully
implemented.
The mitigation plan is sufficient, appropriate with

Good Yes Yes regard to the target risk. Mitigation plan and follow
up are implemented.

3.4 Annual risk review – Assessment of overall exposure to risks
The risk review is a managerial monitoring tool.
3.4.1. Objectives
Risk reviews for ongoing activities and projects are organised under the supervision of the CRO and
aim to allow the Entity Head to:
 approve the overall risk exposure level (in the short, medium and long terms) that the Entity
accepts in view of its objectives, the Group's risk appetite policies and the Entity environment
evolution;
 identify the major risks that need to be monitored as a matter of priority, set up mitigation plans
and appoint risk owners;
 assess the effectiveness of existing mitigation plans and decide on their adjustments;
 inform line management about major risks.
3.4.2. Progress, risk matrix and overall view

This review builds on individual risks that have been identified to define a comprehensive matrix of
exposure to risks over various time horizons, which is a key bearing point for risk evaluation.
The risk matrix provides an overview of all the risks. Each risk is indicated on the standard likelihood
/impact chart along with information on quality and effectiveness of mitigation plan.
The coordinates of the point representing the risk are likelihood on the x-axis and impact on the y-axis.
The risk title should be situated close to the point. The background colours on the chart are serve as a
guide only.

The risk matrix :
 provides an overview, in graphic form, of all of the information in a single document;
 determines major risks by presenting a cross-disciplinary summary of risks classified at a
certain point in time;
 enables greater understanding of risks and any dependency or imitation effects to be identified
('domino effect'). It also allows to optimise mitigation measures and action plans;
 enables to assess the relevance of control processes for major risks;
 provides a basis for effective internal communication about risks.
The risk review is a decision-making tool, and is especially useful for decisions on:
 target risk levels and means required to address risks identified;
 allocation of resources enabling control actions to be implemented at an appropriate pace.
The Entity's risk review builds the overall vision of the senior management level and allows it
to decide on the overall actions to undertake. It is reported on as it stands.
The reporting respects the principle of transparency of the Group's Enterprise Risk Management Policy:
"the managers report on the risks in their purview with sincerity". Reporting of major risks is mandatory
and, where applicable, other significant risks deemed by the Entity to require inclusion so as to comply
with these principles.
3.4.3. Classification criteria and selecting major risks

The Entity Management Committee (CODIR) must classify risks identified by the CRO/RO and select
those requiring specific attention. It is recommended that the CODIR has an informed debate on risks
led by the CRO, on objective criteria basis :
 financial impact on results;
 non-financial impact, in particular with regard to third parties;
 the sustainability of extreme scenarios;
 the degree of risks control (level of monitoring).
Beyond those criteria, management may take into account a number of other factors such as the need
of :
 internal mobilisation ;
 stakeholder communication.
3.4.4. Risk baskets and aggregation methods

When conducting their risk review, Entities also analyse the risks of the Entities that report to them, of
which there may be many. CROs/ROs may therefore need to draw up summaries and group some
elementary Entity risks together in risk baskets.
A risk basket (in the statistical sense of the word) groups together similar risks (e.g. in the same category
in the risk catalogue).

The CRO/RO may choose to stand out the most significant elementary risks, and/or to gather some less
important risks but recurring within entities, in a risk basket :
 grouping because the risks are of the same kind, or because the grouping refers to identical
line of business problems ;
 grouping risks sharing the same causes ;
 grouping risks sharing the same consequences.
Many permutations for grouping are possible. Risk Officers must use their own professional judgement
for risk basking.
It is important to point out the main Entity risks in the basket and their assessment to ensure that no
significant information on risks is lost. This information must be retained for the reporting.
The diagram below shows different options for gathering risk baskets for the summary.
Grouping possibilities for the summary
Aggregation methods (see Appendix 5)

The goal is to obtain an equivalent representation for several risks, each individual risk having a different
likelihood and impact.
CRO/RO should ensure that risks aggregated are homogeneous in frequency and severity so that the
equivalent risk will be representative of the elementary risks, regardless the method used.

3.5 Coordination with strategic and financial processes
The Entities risk reviews examine the risks inherent in their business models. These risks are discussed
with the Strategy and Finance Functional Lines during the revision of strategic orientations (ELS
processes) and MTP.
3.5.1 ERM and strategic processes coordination
 The risk review N-1 is an input for the strategic thinking (ELS) of the BU and allow to identify
whether strategic decisions should be taken considering the risk exposure : to reduce some risks
or, on the contrary, to take more risks.
 The three major risks impacting the BU business model (Top 3) are defined once following
queries are addressed :
– resilience of strategic orientations to stressed risk scenarios that may have the most
significant adverse impact on the BU's profitability,
– impact of proposed strategic orientations (projects, new businesses) on the BU’s risk profile
(new potential risks, modification of known risks, etc.),
– Emerging risks,
– the ability of the BU to mitigate the main weaknesses and threats that may prevent the BU
from capturing the full value of key promising business opportunities.
 The BU’s TOP 3 risks is part of ENGIE Performance Map analyzed during ELS
sessions. Risk mitigation plans of these risks are followed up within Quarterly Business
Review performance map of the BU.
 The full risk review of the BU, including, in addition to strategic risks, financial and operational
risks is achieved taking into account conclusions of the strategic approach (context evolution, new
orientations, etc.) – on draft version basis in the first instance.
3.5.2 ERM and MTP processes coordination
 The draft risk review is an input for MTP works (2018-2020) : provisions or prudence regarding
the targets in particular, are defined regarding impacts of assessed risks and associated
mitigation plan costs are integrate in the budget.
 The final BU risk review is finalised simultaneously with the final MTP 2018-2020 :
quantification of the impacts is in reference to MTP 2018-2020 and 3 following years forecast.
An opinion by the BU CRO features in the conclusions on the MTP update and in the BU risk review.
Specifically, it covers the coherence of the mitigation plans with the risk appetite, the BU's capacity to
implement them and, finally, the risk acceptance or non-acceptance if it cannot be controlled by the
Entity.

3.6 Project risk assessment
The Risk Management Division has developed, in connection with Business Development Oversight
(BDO) and Industrial Projects Oversight and Support (IPOS), a comprehensive project Risk
Management approach as a complement to the project risk analyses produced by the various functional
lines. This approach is covered in a specific handbook: the Project Risk Management Guide (PRM).
The CRO of the Entity in charge of the project, is involved, alongside others stakeholders, in all project
development’s steps. He oversees, in particular, the consideration of the three to five major risks and
associated mitigation measures and opportunities.
The CRO oversees and signs the 'risks' section of the commitment file.
PRM was developed with a view to:

 giving Business Development and Project teams methodological support (PRM Guide) for
assessing and managing project risks from end to end;
 giving the project manager an additional, cross-cutting insight into project risk analysis and the
resilience of business plans subjected to stressed scenarios.
Project Risk Management is coordinated by Business Development Oversight (BDO), in partnership

with Business Development (BD), Industrial Projects Oversight and Support (IPOS) and the various
Functional Lines whose expertise is relevant to the projects in hand.
3.7 Risk Management maturity and effectiveness

Enterprise Risk Management is part of a process of continuous improvement. Entity CEOs must
regularly assess the effectiveness of Enterprise Risk Management in their Entity and define and
implement the required improvements.
This assessment relies on the STR5 Internal Control Reference framework from the INCOME program
(see Appendix 6).
The quality and efficiency of the ERM function are also assessed through indicators:
 Ratio of CROs/ROs who have followed the ERM professionalization course;

 Number of events (materialized risks) with a catastrophic impact at Entity level.
3.8 Roll-out process, coordination and work schedule
This section explains how the Enterprise Risk Management process is rolled out within the organisation,
and with which interactions. It is cascaded as required within the BUs.
The CROs/ROs ensure:
 that Enterprise Risk Management is implemented in accordance with the “ENGIE ERM Guide”,
within their own Entity and within their subsidiaries;
 that the specific guidance issued by the Risk Management Division, following Executive
Committee decisions, had been taken into account;
 that risk reporting accurately reflects the major risks faced by the Entity.

3.8.1. Roll-out within organisations
Strategic approach (top-down) and operational approach (bottom-up)
The process is rolled out according to two approaches:
 The “top-down” movement starts from the management's viewpoint: it structures the risk vision
and provides the main orientations to be taken into account by the operational Entities as part
of their work;
 The “bottom-down” movement starts from the viewpoint of operational Entities : they report
concrete scenarios involving the main risks.
The CROs/ROs cross-reference these two approaches at various levels to better structure the risk vision
and to enhance assessment of these risks.
Specific ERM orientations for the year

The Risk Management Division provides the specific ERM orientations over the year, adopted by the
Executive Committee and reviewed by the Group Audit Committee. They may lead to deepen the
analysis of certain risks or risk categories for cyclical reasons. Further steps can also be added to the
ERM methodology and certain progress targets depending on how long the approach has been in
operation.
Entity CROs/ROs take these orientations into account in their work.
Participation case – Non-majority-owned subsidiaries

CRO/RO who deal with a subsidiary or participation in its perimeter can introduce in their review, if they
believe it to be relevant, the risk to which the subsidiary or participation exposes their Entities.
3.8.2. Intermediate and final reviews

An initial draft of the risk review, resulting in particular from strategic thinking (see above coordination
with strategic and financial processes) is to be realized by each BU (and each of Operational Function
or Functional Division directly addressing some risks) and communicated to Risk Management
Division (RMD) : the content is essentially qualitative and focused on new risks identification or existing
risks evolution. Rough orders of magnitude are sufficient to prioritize and decide on the actions to
implement.
On that basis, the Risk Management Division organises an exchange of views and takes to provide input
and boost the relevance of the risk exposure assessment and the associated mitigation plans.
Following this, each Entity finalises its risk review (validated by its CODIR) and submits it to the RMD :
the quantification of the impacts is made in reference to MTP 2018-2020 completed with the 3 years
forecast.
The assessment of TOP 3 of BU’s risks is detailed in the final risk review (impacts split by nature and
year).

3.8.3. Work schedule
The Risk Management Division sets a work schedule for preparing the Group risk review. The respect
of the risk reviews’ reporting deadline is mandatory to fulfil the Group's obligations.
Schedule for 2017

Chapter 4
Reference framework

4 REFERENCE FRAMEWORK
4.1 Group governance
4.1.1 The ethics of the Chief Risk Officer and the Risk Officer
Unethical behaviour is defined as any event constituting or perceived as a breach of laws and
regulations as well as ethical principles and values of the Group (as specified in its Ethics Charter). Such
event may affect the integrity, sustainability and reputation of the company or the achievement of its
strategic, financial or operational objectives.
The CRO/RO assesses whether the risk-taking associated with strategic options, operational activities
and development projects remains at a reasonable, acceptable and tolerable level with regard to Group
policies, the business environment, common market best practices and general rules of the sector, in
compliance with local rules and regulations.
He complies with the Group's Code of Ethics and the professional code of ethics set out by FERMA
(Federation of European Risk Management Associations) - (available on the ERM SharePoint6).
He performs his duties with independence, responsibility and loyalty to the Group's interests by taking
carefully into account risk evaluations or assessments, by having them challenged by several other
interlocutors and by comparing them to external benchmarks. He then shares this knowledge with the
risk owners. In doing so, he also contributes to increase the awareness of Directors and other risk
owners, of different legal and reputation issues to which they, or the Group, may be exposed.
Finally, he defends his point of view if, after discussion with the risk owners, he believes that certain
risks have been partially described, underestimated or overestimated, and he points this out in his report
to the Management Committees.
He has a duty to “report risks’’.
The CRO/RO assumes a duty to alert when faced with unethical situations and may seek advice and
guidance from the Entity's Ethics and Compliance Officer. Performance improvement and the legitimate
desire to develop business can never justify inappropriate behaviour contrary to the ethical principles
and values of the Group. Such behaviour may create an ethical, legal or reputation risk that is contrary
to the commitments of the Group and its General Management.
Due to the nature of their mission, CROs/ROs are bound by a strict duty of confidentiality.
4.1.2 Group Risk Management Policy

ENGIE's Enterprise Risk Management Policy defines the framework and organisation to set up with
regards to risk-taking and Risk Management in order to achieve the Group’s medium-term and long-
term goals. It concerns all of the Group's risks and sets out the framework that establishes specific Risk
Management policies defining the thresholds, quantified risk limits, risk-taking criteria and technical risk
mitigation options.
6
https://engie.sharepoint.com/ERM/Governance/4-Code of Ethics

This Enterprise Risk Management Policy applies to all of the Group's Entities, in accordance with their
applicable rules of governance. Each Entity or Group-controlled subsidiary will implement it within its
structure and within regulatory framework that applies to it. Each manager is responsible for
implementing this policy in his Entity. Each CRO/RO is responsible to advise the management for the
implementation.
Application of the policy is encouraged in minority subsidiary or joint venture via the Group's
representative on the Boards of these Entities (see §-II, Roll-out within organisations, see the Group
Director’s Manual).
Failing to do so, the subsidiary will justify the existing Enterprise Risk Management system and its
compliance with international standards in this matter.
4.1.3 Specific risk policies

A risk policy describes how a given risk is managed: it sets out risk governance of the risk including, if
necessary, an ad-hoc steering group, the target exposure or the criteria for setting limits. It sets the
framework for the treatment implemented to contain the risk and the indicators to monitor the risk.
The general Enterprise Risk Management Policy can only achieve its objectives through a general
breakdown of its principles into specific risk policies for all of the Group's activities and functions. Every
major risk must eventually be covered by a specific policy.
To comply with the requirements of the general policy and the legal decree aimed at ‘’monitoring the
effectiveness of the Risk Management system’’, every specific risk policy of ENGIE must be made up
of the following elements:
- precise framing of the area covered;
- setting the accepted exposure limits, in line with the overall level of risk appetite or tolerance for
the Group, and determining the intermediary steps, if necessary;
- explaining the governance of the risk: the risk’s owner(s), management body, risk committee
where appropriate;
- description of the treatment procedures and supervision criteria for the risk;
- identifying relevant indicators for monitoring the risk, ideally with a link to the Group Risks
Catalogue.
Existing business policies or procedures may often contain some elements of risk policy. It is important
to ensure their completeness.
These policies apply to all of the Group's Entities, in accordance with their governance rules.
They are a key source of reference for CROs/ROs work.

4.2 Standards and regulatory framework
4.2.1 Legal and regulatory framework
According to French law applicable to which ENGIE is governed, the French Financial Security Act (LSF)
of 1 August 2003 and the French Economic Regulations (NRE) law of 15 May 2001, and followings,
require listed companies to inform their shareholders of the risks to which they are exposed. The ENGIE
Reference Document presents the Group's risk factors taking into account the AMF (Autorité des
Marchés Financiers- French regulator of financial markets) recommendations. It is reviewed by the
auditors and filled with the AMF.
The process defining the scope of the INCOME programme includes a detailed examination of the major
risks from the Group review, which provides focus points for internal control evaluation activities.
The Order of December 8, 2008, which incorporates the 8th European Company Law Directive into
French law, also requires the Board of Directors, through its Committees, ‘’to monitor the effectiveness
of the Risk Management system and internal control’’. These obligations apply to the management that
is responsible for Risk Management.
The AMF (Autorité des Marchés Financiers, the French financial market regulatory) had headed a
consultative committee that confirmed in 2010 obligations of companies( 8th Directive) (see the
document on the ERM SharePoint7). The provisions of the ERM Guide enable to satisfy these
expectations as regards Risk Management.
The Group is therefore required to provide its Board of Directors with information enabling it to comply
with the regulation. This ERM Guide describes the practices applicable to Entities within the Group (in
compliance with their respective governance rules) to enhance the effectiveness of their Risk
Management system and ensure relevant reporting thereof.
In addition, specific laws and regulations apply to some business sectors in which ENGIE operates and
set framework for Risk Management in these activities. Each activity should keep track of changes in its
regulatory environment. Group Entities must comply with national legislation.
4.2.2 Compatibility with standards

The ENGIE ERM Guide takes into account the main international Risk Management standards. Although
it does not strive to comply exactly with these standards, it is compatible with them.
The following main standards are used :
- AMF Recommendation 2010 (the French financial market regulator);
- ISO 31000 – 2009 standard (International Standard Organisation);
- FERMA Guidance – 2011 (Federation of European Risk Management Associations).
7
https://engie.sharepoint.com/ERM/Governance/3-Risk policies

Chapter 5
Risk monitoring and
assessment tools

5. RISK MONITORING AND ASSESSMENT TOOLS
5.1 Assessment Risk support
ROs do have access to a new and single tool enabling them to formalise the risk assessment of their
Entities regardless their geographical perimeter, E-Risk, accessible at the following address :
https://www29.enablon.com/E-Risk (address to be copied in Google Chrome).
E-Risk guarantees the information traceability and allows the sharing of restricted information. Besides,
the tool functionalities facilitate the risk revue preparation (see appendix 1 : Risk review deliverable).
The tool is available on any media . Its access is secured and synchronized with your
Windows account.
Dedicated training sessions are set up for the mastering of the tool.
5.2 Documentary base : ERM SharePoint

The Risk Management Division has had a SharePoint space ERM – ENGIE Risk Management since
February 2016.
This documentary base contains the reference documents for Risk Management and is accessible to
the entire ERM Functional Line (and to all the Group for ‘’Methods & toolkit’’ section).
5.3 Dedicated corporate social network for Risk Management

A specific Yammer group for Risk Management, titled ERM – Enterprise Risk Management ENGIE, has
been created on ENGIE's in-house professional social network.
This group, accessible to all internal public, aims to share news linked to risk management (events,
news from the professional, etc.). It is also a platform for exchange and knowledge-sharing among the
members.

ERM Guide – Appendices
1. Risk review deliverable

2. Risk sheet content – E-Risk overview
3. ERM interview guide
4. Recurring risk assessment
5. Risk basket assessment (aggregation)
6. ERM maturity assessment

Appendix 1 : Risk review deliverable

The final deliverable consists of at least the items listed below. Additional items may be integrated.
1.1 Slide show with synthetic messages
– Executive summary (free format)

 Significant events which occurred and the Entity risk profile evolution;
 Key strategic risks affecting the BU business model and strategic orientations (addressed
during ELS session);
 Target exposure;
 Level of confidence concerning the mitigation plans ability to drive the target risk;
 New actions to implement and to follow up at BU ExCom level;
 Key messages for the Group Top Management.
– Dash board with the major risks (Top 10) based on pessimistic scenario, among which the
BU select its Top 3 (E-Risk extract)
– Heat map in four levels (E-Risk extract)
– Extreme scenarios associated to major risks, at least for the Top 3. Extreme scenarios are
recommended for others risks when relevant
– Emerging risks
– Evaluation of the effectiveness of Risk Management system of the Entity (STR5

assessment, see appendix 6)
– Decisions in conclusion of the risk review of the Entity (validation of the risk exposure
assessment, the target exposure and risk mitigation plans).
1.2 Appendixes : risk sheets
Risk sheets are to be included for all major risks, as part of the deliverable. They are automatically
extracted from E-Risk.

Appendix 2 : Risk sheet content –
E-Risk overview

The first page is a summary of the risk information as described in ‘’Identification’’ and ‘’Evaluation’’ tabs
of E-Risk tool : it is extracted as a reported template from ‘’My reports’’ folder in E-Risk.
Restricted circulation
Risk sheets may contain sensitive and confidential information. They need to be adequately protected
(e.g. marking, distribution, consultation, etc.).
Residual scenario valuation : state the key risk assessment factors as a summary table.
 Financial impact : computed in cumulative over 6 years period (MTP (3 years) + 3 years
forecast) , in local currency or in millions of euros. A precise assessment is not always possible,
nonetheless, a single figure is requested for reporting purposes. The range of uncertainty may
be disclosed in the detailed assumptions.
 Non-financial impact: define the type of impact amongst : reputation or image / human
resources / social or societal /environment / legal / health or safety. Asses the level of impact
on the ERM 1-4 scale.

 Likelihood: a single value between 0% and 100%. A precise assessment is not always
possible, nonetheless a single figure is requested for reporting purposes. The range of
uncertainty may be disclosed in the detailed assumptions.
 Quality of mitigation plans : assessed on four level rating scale

- To (re) build
- Low
- Improvable
- Good
 Time risk horizon to specify :

- Short term : the risk occurs within 3 years,
- Medium term : the risk occurs within 4 to 6 years,
- Long term : the risk occurs beyond 6 years.
 Trend : estimated increased, decreased or stable on the basis of the risk evolution and occurred
events during the period.
Risk description
 Entity : Entity denomination as identified within the organisation and integrated in E-Risk.
description including, if necessary, notes on risk's perimeter.
 Risk category : specify here the category related to the risk from risk catalogue of ENGIE.
Choose the best fit category, even if the risk also marginally affects another category.
 Country : with reference to the Entity location
 Risk owner : state the name or function of the risk owner who has been designated during the
risk review. The risk owner may be the operational manager or the manager of a Functional
line.
 Description : description including, if necessary, notes on risk's perimeter. The description shall
make the business challenge caused by the risk and its context understandable. It is specific,
not generic and short (summarized).
Scenario description that led to risk assessment

 Underlying assumptions for assessing impacts and probabilities. Show the selected scenario.
Specify sensitive parameters to understand impact and link to costs (e.g. breakdown duration,
quantity, unit prices, etc.). State in conclusion the final selected values (value or range, the order
of magnitude is required rather than exactitude). If a model was used, describe the model briefly,
its building principles and qualifying stages.
Show the link between the value returned by the model and the correspondence in terms of a
concrete occurrence scenario.
 Analysis of the main causes of the risk : show the main causes. This is not an exhaustive
list of all possible causes, but of the main ones. Each cause must be described briefly. Indirect
causes or 'risk factors' that increase the risk impact or likelihood are just as relevant as direct
causes.
Find the primary causes wherever possible.
 Analysis of the main consequences of the risk : as for causes, show the main
consequences. Indicate when consequences of the risk can have cascading effects (domino
effect or contamination). Specifically, show if the consequences can overflow beyond the Entity
and impact other entities. Where applicable, show the other entities affected.
In the same way, show any specific dependency that may exist with another Entity, in case a
random event from that Entity could affect your Entity.

Risk evolution since previous assessment
Show notable events that have occurred since the last review such as disasters, near-accident - either
within the Entity’s perimeter or outside as a benchmark.
Mitigation plan
Describe the main actions implemented as a declination of the Risk Management strategy to achieve
the target risk level.
- Descriptive title of the action or treatment

- Risk management strategy : removing, reducing, transferring, sharing
- In charge: indicate the name of the person accountable of each action or mitigation plan
- Progress : with reference to the level of advancement in %
o Planned
o Ongoing
o Finalized
o Abandoned
- Delay : horizon of the action achievement.

Appendix 3 : ERM Interview Guide

To identify and assess risks or prepare the risk review, it is common practice to interview managers.
Below is an initial list of questions designed to help the Risk Officer carry out these interviews. Not all
questions apply to a particular stage in the process and they will need to be adapted and selected
according to the context.
 Preparing the risk map

What events could seriously affect your achieving the goals you have set for your business or that the
Group has set with regard to an external event, a crisis, human factors, opinion trends, a long-term
threat, a current event, an internal failure or with regard to one of our stakeholders, etc.?
- Could you list the 3 greatest risks for your field of business?
- Could you list the 3 greatest risks for your Entity besides your field of business?
- For each risk, can you list the main causes, consequences and control measures implemented
and briefly assess the impact, likelihood and quality and effectiveness of mitigation plan ?
New business development:

- What are your main areas for development?
- What are the main threats that could hamper or challenge this development?
- Can these threats be addressed ? Do we have the competencies and resources to manage
them?
- Could their assessment lead to miss out on these development opportunities?
 Approving the risk map
- Is there an important risk that is not indicated in the risk map for your business?
- Should the definition of risks for your business (description and segmentation) be substantially
modified or expanded?
- Does any risk appear very under or over-estimated (impact or likelihood)?
- How can you respond to generate performance, maintain your reputation or guarantee your
continuity (risk reduction to anticipate future reaction)?
 Exposure of businesses and of the Group
- Could certain risks in your Entity reach an unsustainable level, as part of stressed scenario for
example?
- In this case, do their impact seem sufficiently reduced or contained to you?
- Another way of reducing risk is to diversify it. In your view, are value and reputation-creating
factors sufficiently diversified?
- In your view, what level of financial, legal or reputation hazard is reasonable for your business
and for the Group?

 Cross-functional risks
- Could certain risks in other entities reach an unsustainable level that threatens your business?
- Do you perceive any risks for your Entity that could be coupled with other entities’ risks (i.e. a
particular risk that leads to another one)?
- Are there any risks in your Entity that offset those in other entities?
- Do certain risks require cross-functional coordination or management?
- In this case, which manager or Entity do you suggest to manage these risks?
- In this case one more, what proportion should be delegated and what proportion should be
controlled by a cross-functional decision-making body?
 Benefits of ERM
ERM aims to boost confidence in the Group, its products and the quality of its services, as well as to
strengthen the decision-making process, by offering a succinct enterprise-wide risk overview of and
knowledge of entities and the Group’s exposure.
- To what extent do you think this goal has been achieved?
- Do you expect other benefits from ERM?
- What issues should be priorities for next year?
 Extreme scenario
- In your industry or functional line, what type of risk is a reference because of its financial or non-
financial impact?
- What would be an adapted scenario for your Entity?
- What would be the impact and likelihood?
- Do current mitigation plans take into account such type of risk, to lower them at an acceptable
impact/likelihood level ?
 Opportunities
- Do identified risks have linked opportunities?
o Uncertainties that could have positive or negative effects
o Competitive advantage in case of better risk control than competitors
o Risk Management skills development could lead to service delivery.

Appendix 4 : Recurring risk
assessment

How do we assess the occurrence likelihood and impact of a recurring risk?
Example:
Case of an event that is susceptible to arise every year, with an impact of €100 million
and a likelihood of 10%.
Red: risk occurs

Green: risk does not occur
In 6 years, the likelihood that nothing happens is about 53%.

On the other hand, the likelihood that this event happens six consecutive
times, is very weak : 0,0001% !
The Risk Officer, with the

Probability
risk owner involvement,
exercises his own
professional judgement to
determine the
impact/likelihood
assumption to be retained.
Impact

Appendix 5 : Risk basket
assessment (aggregation)

 Generally, in ERM, the risk is displayed in terms of its financial impact / likelihood for a
residual scenario
 A risk has a binary likelihood:
- Likelihood “L” that the scenario occurs, with an impact “I”
- Likelihood “1-L” that the scenario does not occur, with an impact “0”.
 Simplified vision of a curve distribution of possible events:

- For instance, an accident on an industrial site can range from harmless incident to a
major incident that affect all parts of the asset. In the ERM process, only one significant
scenario is chosen
- Sufficient and robust approach for ERM analysis
- More specific calculations for some businesses: market risk, counterparty risk, project
risk…..
 “Expected Loss” = L x I (Likelihood impact)

 Indicator of the average loss of the adopted scenario (it is not necessarily an impact that is
going to happen)
 Very different risks might have the same Expected Loss (EL). For instance: €1.5 million
might be:
- Severity risk (impact €150 million, likelihood 1%);
- Frequency risk (impact €2 million, likelihood 75%).
Think about it : EL does not reflect neither the difference between these two risks nor the
risks themselves.
EL can only be used to assess the average loss of a group of risks, and not for few isolated risks.
Aggregation rules
When the risks of a basket are independent, the basket EL for the basket is to be equal to the sum of
all EL basket risks.
Warning: the risks might not be independent. In this case, combination rules are different
- Independent risks: add up the ELs

- Correlated risks : weak correlation  considered as independent risks
Strong correlation  impacts to be added / common likelihood to be kept
- Exclusive risks :  choose
(if one occurs, the other cannot occur, and vice versa)
It is advisable to ensure that risks aggregated are homogeneous in frequency and severity so that
the equivalent risk will be representative of the elementary risks, regardless the method used.

 Risk aggregation (1), (2) and (3)
 The resulting risk (A) is shifted towards a higher likelihood and with a bigger
impact
 The position of A on the curve is a managerial decision
An Excel tool for aggregating independent risks is available on the ERM

SharePointSharePoint ERM8.
8
https://engie.sharepoint.com/ERM/Methods & toolkit/ERM guidelines/ Calculation tool

Appendix 6 : ERM maturity
assessment

ERM maturity
Risk management maturity can be assessed by reference to controls outlined in STR5

(risk management process). Assessments should be reported through the MOSAIC
tool wherever possible.
Macro-risks and associated INCOME risks (STR5 program)

MR1 - Excessive or uncontrolled risk taking
RISK STR5R001 : Risks are poorly identified, poorly evaluated or mitigation plans are
not defined or are not efficient enough
Control STR5C100-C1
Risk review by a trained Risk Officer, according to the ERM methodology, under the
supervision of the Chief Risk Officer
Risk STR5R002: Risks are not taken in accordance with the delegation of authorities
Control STR5C200-C1
Approval in the General Management Committee of the existing and target risk exposure for
current activities and new projects
MR2 - Risks not or badly managed
Risk STR5R003: The mitigation plans are not implemented, not monitored or not
efficient
Control STR5C300-C1
Monitoring of mitigation plans for major risks
Transverse risk
Risk R.CONF: Confidentiality of sensitive information is not assured by existing

classification and safeguarding procedures
Control STR5C0090-C1
Information classification and protection

ERM Guide 2017

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

ERM Guide 2017

Загружено:

Авторское право:

Доступные форматы

ERM GUIDE 2017

Enterprise Risk Management

Management Risk Division – March 2017

Direction du Management des Risques – Janvier 2016

ERM GUIDE – ENGIE 2017 – all rights reserved 3

ERM GUIDE – ENGIE 2017 – all rights reserved 4

ERM GUIDE – ENGIE 2017 – all rights reserved 5

ERM GUIDE – ENGIE 2017 – all rights reserved 6

1.2 Goals of Risk Management

ERM GUIDE – ENGIE 2017 – all rights reserved 7

ERM GUIDE – ENGIE 2017 – all rights reserved 8

2.1.1 The Board of Directors and the Audit Committee

2.1.2 The Executive Committee

2.1.3 The Functional Divisions and Operational Divisions of NewCorp

2.1.4 Entity Heads

ERM GUIDE – ENGIE 2017 – all rights reserved 9

2.2. ERM Functional Line

2.2.1. The ERM Functional Line

2.2.2. Entity Chief Risk Officer (CRO)

He has a duty to «report risks».

ERM GUIDE – ENGIE 2017 – all rights reserved 10

2.2.3. Entity Risk Officer (RO)

Entity Risk Officers implement Enterprise Risk Management processes.

2.2.4. The Risk Management Division

ERM GUIDE – ENGIE 2017 – all rights reserved 11

2.3. Confidentiality rules – Compliance

 access to risk content information is restricted;

Communication of this information – particularly in financial communications – is managed in compliance

Approved risk reviews are for restricted distribution only.

ERM GUIDE – ENGIE 2017 – all rights reserved 12

ERM GUIDE – ENGIE 2017 – all rights reserved 13

3.1. Definition of risk

3.2. Unit risk assessment

3.2.1. Determining the context

To that end, CROs/ROs gather a range of information:

ERM GUIDE – ENGIE 2017 – all rights reserved 14

To do this, CROs/ROs use:

Interviews and working groups/brainstorming sessions

3.2.3. Analysing the causes and consequences

TREE-STRUCTURE DIAGRAM OF CAUSES AND CONSEQUENCES

ERM GUIDE – ENGIE 2017 – all rights reserved 15

Two scenarios should be used to characterise a risk :

3.2.4.1. Impact assessment

ERM GUIDE – ENGIE 2017 – all rights reserved 16

ERM GUIDE – ENGIE 2017 – all rights reserved 17

3.2.4.2. Likelihood assessment

There is a very low, but non-negligible possibility that

There is a clear possibility the risk may occur which is

ERM GUIDE – ENGIE 2017 – all rights reserved 18

Coherence of the probability/impact pair

3.2.4.3. Time risk horizon

- Short term : the risk occurs within 3 years,

3.3 Risk appetite and management risk strategy

ERM GUIDE – ENGIE 2017 – all rights reserved 19

3.3.2. Risk management strategy and action plan

ERM GUIDE – ENGIE 2017 – all rights reserved 20

 Removing the risk

 Avoid taking the risk

 Reducing the risk

 Transferring the risk

 Sharing the risk

 Accepting the risk

ERM GUIDE – ENGIE 2017 – all rights reserved 21

The risk management strategy is often a combination of different basic strategies.