Risk management and internal control
Risk management and internal control are at the heart of every effective management control system, including TenneT’s.
Risk management and internal control objectives
With our Risk management and Internal Control System we aim to identify and manage any risks threatening realisation of TenneT’s strategic and operational objectives, as well as enhance the control we have over our day-to-day processes.
The key objectives of TenneT's risk management and internal control system are:
- Identification and assessment of future events with negative or positive impact on strategic, operational, process and/or project objectives
- Creating risk awareness and open corporate culture to address risks and opportunities
- Providing a uniform risk management process and tools to help the organisation making decisions based on consolidated, timely, relevant and reliable information to ensure efficient priority based resource allocation
- Providing transparency and comfort to the boards, internal and external auditor as well as shareholder that they are apprised of the most significant risks potentially impacting shareholder value, non-compliance issues and/or increasing director and officer’s liability
TenneT's Enterprise Risk Management and Internal Control Framework are based on the latest COSO model (Committee of Sponsoring Organisations of the Treadway Commission) and are compliant with the requirements of applicable laws and regulations, e.g. Dutch Corporate Governance Code, German Control and Transparency in Business Act and the German Accounting Law Reform Act.
ERM is clustered in:
- Strategic risk management
- Operational risk management including risk and portfolio management with respect to asset management
- Project risk management and
- Internal Control (process risk management)
Therefore the following factors to unfold full value of risk management and internal control for the organisation are designed according to the stakeholder requirements:
- Structure: policies, IT-systems, reports, processes, etc.
- People: roles and accountabilities, profile, education and skills, etc.
- Competencies: risk culture and competence on management level, etc.
Risk management as second line of defence function is interlinked with other 2nd line functions like risk transfer, Business Control, Project Control and Compliance Office as well as third line functions, e.g. Internal Audit. Twice a year the Executive and Supervisory Boards receive an overview of risks on all company levels. These risk reports include the status of internal controls as part of the risk management reporting. This provides management with the necessary means to realise an effective risk management strategy.