We contribute to the sustainable development of the countries where we operate, with innovative network infrastructures and digital services, sharing our skills and know-how. Read more

Latest press releases

Read the latest press releases and search the archives of TIM Group's Press Office.

TIM and LGBT+ people: the road to inclusion

Our presence at the Pride events, our collaboration with Parks, Valentina' story , LGBT+ wife and mother. Read more

Enterprise Risk Management

In order to ensure a global approach to risk management, the TIM Group has adopted an Enterprise Risk Management (ERM) process. This is a corporate risk governance tool used to identify, assess and manage risks. 

The Group has adopted an Enterprise Risk Management (ERM) Model which allows risks to be identified, assessed and managed uniformly, highlighting potential synergies between the parties involved in assessing the Internal Control and Risk Management System. The ERM process is designed to identify potential events that may influence the business, in order to manage risk within acceptable limits and provide a reasonable guarantee that business objectives will be achieved.

The process is managed by the ERM Steering Committee, which is chaired and coordinated by the head of the Security Department. The Steering Committee meets every three months (or when specifically required) and is intended to ensure the governing of the Group risk management process, which is designed to guarantee the operational continuity of the company's business, monitoring the effectiveness of countermeasures adopted.

The process adopted is cyclical and includes the following stages:

1 - Definition of the Risk Appetite and of the Risk Tolerances

  • Risk Appetite is the amount and type of Risk, overall, that a company is willing to accept in the creation of value, namely in the pursuit of its strategic objectives. It is discussed and defined annually by the Board of Directors at the sessions held to approve the Business Plan. The Risk Appetite is broken down into Risk Tolerances;
  • the Risk Tolerances represent the level of risk the Company is willing to assume, with reference to the individual objective categories (strategic, operational, compliance, reporting).

Compliance with the Risk Tolerances and Risk Appetite is monitored quarterly and reported to the Board of Directors, after the Control and Risk Committee has been informed.

2 - Risk Assessment

This phase covers the identification, definition and assessment of the risks. It starts with the fine-tuning of the Risk universe, namely the document that contains the description of the main characteristics of all the risks identified; the risks are presented, in interviews, to the process owners who, together with Risk Management, assess their severity and document the mitigating actions in order to position them on a specific 3X3 matrix (Risk and Control Panel - R&CP). The matrix dimensions are:

  • the “level of inherent risk”, namely the level of variance with respect to the Business Plan deriving from the occurrence of an event (risk);
  • “monitoring level”, based on the evaluation of the mitigating actions implemented.

This matrix allows the action priorities for the mapped risks to be set. All the risks assessed as High in the R&CP matrix form the Corporate Risk Profile (CRP). The CRP risks that have a partial or non-existent monitoring level are subject to a Root Cause Analysis aimed at grouping related risks into homogeneous improvement areas. The positioning of the risk in the matrix described above is also the result of:

  • collaboration with the Compliance department, which considers the monitoring level with regard to non-compliance aspects and
  • synergies with the Audit department relating to the evaluation analysis of the suitability and efficiency of the mitigating actions identified.

3 - Risk Response

The aim of this phase is to identify and implement the strategic options for responding to risk and to bring the risks back to or maintain them at acceptable levels. The responsibility for identifying and implementing the risk response lies with the Process Owner, with the support of Security - Enterprise Risk Management department to overcome the monitoring gaps identified in the Risk Assessment phase. A suitable risk response must be defined for each risk, in line with the action priority represented by its positioning in the Risk & Control Panel. The Risk Response is broken down into the following “sub-phases”:

  •     planning,
  •     execution,
  •     stocktaking and measuring of the performances.

 

4 - Drawing up the Reporting Flow

The ERM process also allows to identify emerging risks, i.e. risks which might compromise business operations in medium-long term or risks which are highly dynamic and fast-changing in a way that the lapse of time between the occurrence of an event at risk and its consequences is very short; as a way of example ‘Brexit’ is reported. On June 23, 2016, the United Kingdom (the ‘UK’) held a referendum in which voters approved an exit from the European Union.

Brexit, and even uncertainty over potential changes during any period of negotiation, could result in further instability in global financial markets and uncertainty with respect to national laws and regulations as the U.K. determines which E.U. laws to replace or replicate. Any of these effects of Brexit, among other factors, could adversely affect our business, financial condition, operating results and cash flows.

So far the company has been implemented the following mitigation actions:

  •     careful monitoring of regulatory development
  •     strict implementation of internal policy on financial risks, with particular focus on Great Britain counterparties.

Download the document

Business Continuity System

180 KB

Traffic monitoring Covid-19

1178 KB

Covid 19. TIM highlights

788 KB