Risk management and internal control framework
Our risk management and internal control framework is based on the international COSO II model.
Our risk management and internal control framework is based on the international COSO II model (Committee of Sponsoring Organisations of the Treadway Commission) and designed along the following pillars:
- Strategic risk management
- Operational risk management, including risk and portfolio management with respect to asset management
- Project risk management
- Internal control
The COSO II model defines four types of risk: strategic, operational, reporting and compliance. Our internal control framework covers reporting and compliance risks, with our compliance function providing additional coverage of certain compliance risks.
Strategic risk management
Strategic risks are those that jeopardise the realisation of TenneT’s strategic objectives and goals. Strategic risks are managed by the Executive Board. A strategic risk assessment is performed at the end of every year and updated mid-year. The Executive Board evaluates the risks as they develop as well as the effectiveness of applicable mitigating actions. TenneT’s strategic risk position is shared and discussed with the Supervisory Board and the Audit, Risk and Compliance Committee.
Operational risk management
The operational risks affecting the various performance units and corporate departments are documented and evaluated to assess the adequacy of mitigating actions at least twice a year. Our Risk Management & Internal Control department challenges management to review risks and related mitigating actions. TenneT's updated operational risk position is part of the Letter of Representation.
Risk & portfolio management
Risk & portfolio management is part of TenneT’s asset management process and helps us make risk-based assessments when taking investment decisions. Grid constraints are identified by analysing grid components and failures and by monitoring the necessary transport capacity. These constraints are assessed according to the risk they pose to TenneT’s objectives. Should the risk exceed a predefined level, a measure to mitigate this risk is proposed and included in our investment portfolio.
In the Netherlands, the results of these analyses are summarised in our bi-annual Quality and Capacity document, which is reviewed by the Dutch regulator. In Germany, TenneT Germany and the other German TSOs draw up joint bi-annual onshore and offshore grid development plans that require approval from the German regulator.
Project risk management
TenneT’s project risk management system is designed to help the realisation of large-scale infrastructure projects on time and within budget, while adhering to quality requirements. The purpose of day-to-day project risk management is to review and manage risks systematically, taking into account specific project categories. Projects are classified and assigned according to three categories of project risk management: simple, medium and complete. For each category a description of the scope of project risk management is defined.
Our internal control framework is designed to support and safeguard the realisation of our process objectives, as well as fulfil our legal obligations and establish the reliability of our internal and external reporting. To assess the effectiveness of this framework and identify opportunities for improvement, a control self-assessment is performed by control owners and validated by management twice a year. Risk Management & Internal Control performs quality assessments on the outcomes. Internal Audit checks randomly selected self-assessments during the year to form an independent opinion. The outcomes of these control self-assessments are direct input for the Letter of Representation procedure. Identified issues are reported to Risk Management & Internal Control, which monitors and follows up on mitigating steps with the relevant business owners. Overall control effectiveness is reported in our State of Risk report.