Risk management and internal control framework
Our Risk Management and Internal Control Framework is based on the international COSO II model (Committee of Sponsoring Organisations of the Treadway Commission). We distinguish between the following types of risk management and internal control activities:
- Strategic risk management
- Operational risk management
- Project risk management
- Internal control
- Risk and portfolio management (within Asset Management process)
The COSO II model defines four types of risk: Strategic, operational, reporting and compliance, of which the last two are covered by our internal control framework.
Strategic risk management
Strategic risks endanger the realisation of TenneT's strategic objectives and goals. Strategic risks are managed by the Executive Board who evaluate risks as they develop as well as the level of control in place. A strategic risk assessment is performed annually. The strategic risk position is shared and discussed with the Supervisory Board and the Audit, Risk and Compliance Committee.
Operational risk management
The operational risks affecting the various departments are identified and analysed at least twice yearly by the Risk & Internal Control Department in conjunction with the responsible senior managers. All departments produce a mid-term plan detailing the status of operational risks and how they are addressed. Each quarter, a summary of the most important operational risks for TenneT in the Netherlands and Germany is provided to the Executive Board and to the senior management team. In addition, to comply with local laws and regulations, specific operational risk reports are drawn up periodically in accordance with the German Business Control and Transparency Act and the German Accounting Law Reform Act.
Project risk management
TenneT's project risk management system is designed to foster the realisation of large-scale infrastructure projects on time and within budget while adhering to quality requirements and while remaining compliant with corporate objectives. Projects are classified and assigned according to three categories of project risk management: simple, medium and complete. For each category, the scope of project risk management is prescribed transparently and comprehensibly. The purpose of day-to-day project risk management is to review and manage risks and chances systematically, taking into account specific characteristics of projects, TenneT's project risk management process consists of risk management planning, risk identification, risk analysis and evaluation, developing risk mitigation measures, monitoring and review as well as risk communication.
Our Internal Control Framework (ICF) is designed to support and safeguard the realisation of our process objectives, as well as fulfil our legal obligations and ascertain the reliability of our internal and external reporting. Our ICF is integrated in our risk management framework and focusses on process goals and managing risks related to the execution of our business processes. To assess the effectiveness of our ICF and to identify opportunities for improvement, the Control Self-Assessment (CSA) is performed twice a year. The CSA is performed by control owners and validated by management. Risk Management & Internal Control double checks results to safeguard quality and integrity. Internal Audit checks randomly selected CSA's during the year to secure an independent opinion. CSA outcomes are direct input for the letter of representation (LOR) procedure by which Senior Managers take account for designing, implementing, monitoring and maintaining a framework of measures and controls to mitigate key risks. Identified issues are reported to Risk Management & Internal Control, who monitor and secure follow-up on mitigating steps with assigned business owners.
Risk & portfolio management
Risk & portfolio management is part of TenneT's Asset Management process and is key to the risk-based process for making investment decisions. Grid constraints are identified by analysing grid components and failures. In the Netherlands, the results of these analyses are summarised in the bi-annual investment plan, which is reviewed by the Dutch regulator. In Germany, TenneT and the other German TSOs together draw up annual onshore and offshore grid development plans which require approval from the German regulator.
The constraints are assessed according to the risk they pose to TenneT's business-value framework. Should the risk exceed a predefined level, a measure to a mitigate this risk is proposed and included in the investment portfolio. Mitigating measures are prioritised each year.