You are here

The internal control and risk management system

The internal control and risk management system consists of a collection of rules, procedures, and organizational structures aimed at enabling the identification, measurement, management and monitoring of the main corporate risks in the Group. The system covers three types of activity:

  • line control” (or “first level control”), consisting of the set of control activities the single operating units or Group companies perform on their own processes in order to guarantee the correct undertaking of operations;
  • second level controls”, which are entrusted to specific corporate departments and which aim to manage and monitor typical categories of risks;
  • internal audit (“third level” controls), aims at verifying the structure and function of the system overall, also through monitoring the controls, as well as the second level control work.

The system is subject to periodic tests and checks, taking into account the evolution of corporate operations and the situation in question, as well as best practices. For a detailed description of the duties and responsibilities of the main subjects involved in the system, as well as the means of coordination among them, please refer to Guidelines of the internal control and risk management system, which are available at

Owing to the nature of its business the Group is exposed to various types of risk which are set out in the table below.

For each of these, specific actions have been identified to mitigate its effects and ensure correct management.

In regard to financial risks, such as market risk (including the risk of changes in interest rates, exchange rates and commodity prices), credit risk and liquidity risk, the governance adopted by the Group envisages:

  • the presence of specific internal committees, consisting of the Group’s top management and chaired by the Enel Chief Executive Officer, responsible for policy setting and supervision of risk management;
  • the issue of specific policies and procedures, at the Group and individual Division/Country/Business Line levels, which establish the roles and responsibilities for risk management, monitoring and control processes, ensuring compliance with the principle of organizational separation of units responsible for operations and those in charge of managing risk;
  • the definition of a system of operating limits at the Group and individual Division/Country/Business Line levels for the various types of risk, which are monitored periodically by risk management units..

Detailed information is available in the Group Annual Report 2016 available on the Company’s website (

Analysis of counterparties

The ability to adequately assess counterparties and to promptly intercept any threats and risk elements is increasingly an essential requirement not only to protect organizations’ reputation but also for their very survival. The analysis of the counterparties is requested by the Business Lines, Departments and services, the request is facilitated and supported by an instrument and by a methodology provided by the Security unit which at the same time is responsible for formally verifying and optimizing the operations requested. Even if the analysis may also be assigned to third parties, the process and the methodology must guarantee the application of a criterion for standard assessment, monitoring and reporting.

The analysts are required to collect all the relevant information regarding the reputation of the subjects involved within the defined scope. This work is carried out by making searches from all sources which are open, private, and available, including at least: internet – social networks; Public Administration – Chamber of Commerce; public database of the judicial system; corporate database, paying attention not to violate the Company’s policies/procedures or the laws of the country (for example protection of personal data, anti-trust laws, etc.); international databases (for example World Check).