Risk management
Management and control
Risk management contributes to realising our strategic objectives in a responsible manner. With our risk policy, we carefully weigh which risks Eneco Group is running, which control measures we should implement to counter these risks and we assess the effectiveness of these measures.
Governance
The Board of Management is responsible for the risk management of the whole Group. Our risk management is based on the three lines of defence model. This structure ensures that we follow the current good practices with regard to risk management. The Board of Management has delegated the execution of risk management primarily to the directors of the business units (i.e. the first line of defence). Business Control and staff/functional areas such as compliance and security support the business units from the second line of defence. The Group Risk Management department is also part of the second line of defence and translates policy into guidelines and coordinates the risk management process. The Internal Audit function (third line of defence) conducts independent audits and reports the results to the Board of Management and the Audit Committee of the Supervisory Board.
The directors of the business units discuss their risks, risk estimates and the status of measures directed at mitigating and controlling these risk every quarter. The most important risks and measures are reported to the responsible portfolio holder in the Board of Management every quarter in the Business Unit Review. These are consolidated and reported to the Board of Management and the Audit Committee.
The Audit Committee supervises the adequate functioning of the risk management activities. We have laid down the risk limits on a company level in various concrete policy statements, codes and guidelines in areas such as safety, trading mandates, authorisations and conduct. In addition to the quarterly reports, a number of risk management topics were given more specific attention in the Audit Committee in 2017. These topics included the investments in Eni and LichtBlick, an update of the Treasury Charter, the financing requirement in relation to the rating of Eneco Group after the unbundling and cyber security.

Risk and performance management framework
We use the internal Eneco control and risk management system (ECRS), that is based on the COSO ERM framework, the worldwide standard for Enterprise Risk Management. The ECRS comprises a systematic approach for risk assessment, a set of control measures and a self-assessment method with which the management of the business units can determine whether the control measures are effective.
Risk management is an iterative and continuous process and is part of the regular Business Planning Cycle. The business units carry out a thorough analysis of the threats and opportunities at least once a year. For each significant risk, we determine what the possible impact could be on the risk categories Financial, Reputation, Integrity and Safety. We implement control measures that reduce individual risks and by means of financial-strategic projections supported by sensitivity analyses, including single-event stress tests and VaR analyses for the total of all business risks. Risk management systems have been set up on all levels of the organisation which contain specific risk-mitigating measures.
Risk tolerance
Our risk tolerance is divided into risk categories, as defined within Eneco Group:
Low | Medium | High | |
---|---|---|---|
Safety | Injury with alternative work | Injury with absenteeism or hospitalisation | One or more fatalities |
Integrity & Compliance | No/limited fraud possibilities | Incidental fraud possible | Large-scale fraud possible |
Financial | < €1 million | > €1 million | > €10 million |
Reputation & Quality | Limited negative image among stakeholders | Decrease in confidence among stakeholders | Structural damage among stakeholders |
|
|
---|---|
Safety | A lot of attention is paid to safety within Eneco and our risk tolerance is very low. We regard serious incidents (hospitalisation, fatal accidents) as unacceptable. |
Integrity & Compliance | The management has a zero-tolerance policy with regard to integrity and compliance risks. |
Financial | Our risk tolerance is low in general; however, sometimes we have to ‘accept’ a higher financial impact for a risk because the possibility to mitigate this risk is limited (for example the weather risk). In addition, we consciously opt for a higher risk profile in specific areas, such as innovation and transformation. We use sensitivity analyses and stress test to determine whether we are sufficiently robust to deal with negative developments and incidents. |
Reputation & Quality | Our risk tolerance is low and where possible we try to avoid any occurrence that could give rise to a negative image of the Group. |
Developments in 2017
Business units carry out a self-assessment for the designated key controls at least twice a year. Key controls are control measures that reduce high risks. For controls in the field of IT, financial reporting and financial management information, an ambition on the ‘prove me’ level applies for demonstrability. The number of controls in the field of authorisation management and IT change management were expanded and enhanced in 2017. A further quality improvement with regard to demonstrability is necessary to achieve our ambition level.
The unbundling carried out at the beginning of the reporting year demanded a special effort of the organisation in order to carry this out in a controlled manner. The unbundling of both the IT organisation and the financial administrative side took place without material incidents. Following the unbundling, we adjusted our financial risk tolerance and impact scale to the size of the new organisation.
For the internal supervision and management of our growing portfolio of innovative participations, the Venture Board was established in the past year, with representatives from the Board of Management.
Incidents
A number of incidents occurred in 2017. We will discuss two major incidents.
Eneco Zakelijk was hit by a ransomware virus in February 2017 due to which the normal business operations were disrupted for two days. The ransomware entered our system via the internet and was activated by a click on a link in an email. The ransomware penetrated the configuration files of our customer system leading to the interruption of customer and invoicing processes. The interruption lasted in total about 36 hours due to back-up recovery and extra controls. This incident and the international increased threat level for the energy sector have led to a significant investment in 2017 in cyber security: extra Microsoft licences, an awareness programme for personnel (Kaspersky) and advance threat protection.
A subcontractor used grit sand that was contaminated with asbestos when carrying out maintenance work at the heating plant Vijfwal in Houten in October. The work at the site was immediately stopped, local residents and the people directly involved were informed. Measurements showed that the asbestos was limited to the site of the power plant. The power plant was taken into operation again after a thorough decontamination of the site.
Reference is made to the paragraph Integrity and compliance in this annual report for reporting on incidents regarding compliance.
Strategic risks
Strategic risks are long-term risks that influence the realisation of our strategic objectives. Based on a stakeholder analysis, we determined which material themes are important for our stakeholders. We then defined the most important strategic risks for each theme.
Material themes | Strategic risks | |
---|---|---|
Living within the limits of the planet | 1 | Loss of credibility sustainable image |
| 2 | Uncertain future government policy and regulations with regard to sustainability |
Customers participate in the energy transition | 3 | Falling behind in the energy transition |
Relevant for the customer | 4 | Responding insufficiently to our customers’ needs |
Employee engagement | 5 | Insufficient competencies and employability of personnel |
A healthy financial return | 6 | Financial return of sustainable generation comes under pressure |
Below, we discuss the strategic risks in more detail as well as our mitigating strategies.

‘Energy transition can be accelerated’
Eelco Blok
CEO KPN
Loss of credibility sustainable image
Eneco Group's mission is ‘everyone's sustainable energy’, we want to be leading in the energy transition and to be recognised as a sustainable energy company. Our aim is to operate in the future within the limits of our planet and to help our customers, partners and suppliers to do this as well: our One Planet ambition. This ambition has been translated into a CO2 reduction target for our own business operations and growth in sustainable production capacity. This is expressed in external benchmarks such as the NGO ranking in the Netherlands and the Greenpeace ranking in Belgium. In order to protect our image, we choose our suppliers and partners carefully and we apply ‘know your customer’ criteria when accepting commercial customers and counterparties. We also mitigate the risk by means of transparent communication with stakeholders about the progress of the implementation of our strategy.
Uncertain future government policy and regulations with regard to sustainability
Changes in European and/or Dutch regulations can have a big impact in areas such as subsidies, CO2 pricing, market structuring and taxes. Furthermore, when providing our products and services, we have to comply with regulations regarding consumers and with privacy laws. In various ways, Eneco Group is asking for the government's attention for the importance of a stable investment and financing climate that is also aimed at accelerating the sustainability of the energy supply. As a mitigating measure, Eneco Group spreads its sustainable investments over several countries, subsidy schemes and various sustainable technologies (such as wind energy, solar energy, energy storage and energy insight and savings).
Falling behind in the energy transition
The energy market is in the middle of a transition. We see innovations in technology for production, storage, savings and conversion. Of course, this also has consequences for our future revenue model for energy deliveries to households and industries. The risk is that Eneco Group responds to these developments too late or insufficiently, causing our market share to come under pressure and being unable to, for example, achieve our objectives in the growth domain innovative services.
We follow the developments in energy-related markets closely. Which new technologies offer opportunities to fully or partially replace conventional production and regulation capacity and how will this effect the delivery of energy in the future? We see opportunities to increase sustainability in the area of heating, but also in the market for electric transport. This is why we are developing new solutions and business models together with our customers and partners. Eneco Group mitigates this risk further by making innovation budgets and dedicated resources available to review technologies and to start pilot projects. We work together with universities and perform market scans. In this manner, we aim to develop a consistent portfolio of best available technologies.
Responding insufficiently to customers’ needs
Responding insufficiently to customers’ needs with new innovative solutions leads to loss of customers and lower revenues. Internet has made it easier for customers to compare energy suppliers and to switch from one supplier to another. New products and services increasingly have a strong digital and data-driven character. As a result, customer needs are also transforming rapidly in the energy sector, the boundaries of the sector are fading and new entrants see opportunities. As an energy company, we are searching for added value for our customers by integrating renewable production, services and technological developments into total solutions. In addition, we also sometimes combine forces with new entrants for the best solution for the customer. We invest in promising companies that develop services for our customers making use of new technology, such as blockchain, the Internet of Things and data science. In addition, Eneco Group invests in new technologies to improve existing processes such as data analytics. We make use of cloud technology to reduce costs and increase flexibility and Internet of Things technology to carry out targeted maintenance of production facilities.
Insufficient competencies and employability of personnel
Gaps in competencies and reduced employability of management and employees endangers the degree to and the speed at which strategic objectives can be realised. This is why we are working on building a high-performance organisation in which people are the central focal point. Various education, culture and development programmes for management and employees are being rolled out and supported. We develop and implement forms of collaboration that stimulate constant improvement.
Financial return of sustainable generation comes under pressure
The price of electricity and heating is currently largely determined by the price of gas, coal and emissions. However, in the future, as a result of the increasing share of sustainable production capacity, the price of electricity will be determined less and less by these marginal costs of fuels. We work with future scenarios based on possible market regulations and price developments to assess the robustness of our long-term investments in sustainable production facilities.
Development processes for sustainable production often take a number of years. Once they are operational, wind and solar parks can remain in use for decades, whereas we can only fix the delivery price for a limited number of years on the energy trading markets. We will not be able to recoup an investment that we make now when market prices decrease structurally in the future or the costs of balancing on the imbalance market increase. Therefore, our strategy is also directed at building sustainable production facilities with and at the request of our clients (Client Sources).
Operational risks
Below, we discuss our most important operational risks that can still have an estimated remaining impact of >€ 5 million after mitigating measures.
Risk (trend compared with 2016: ↑→↓) | Potential impact | Control measures |
---|---|---|
|
|
|
Financial position |
|
|
Creditworthiness ↑Decrease in the perceived creditworthiness of Eneco, or a rating downgrade |
|
|
Spark spread ↑Lower margin between sales prices of electricity produced by gas-fired power plants and cost price/purchase gas and CO2 |
|
|
Profitability sustainable assets →Lower future revenues due to lower electricity prices or lower market value of green electricity |
|
|
Weather risk ↑Lower than average production volume of wind farms due to weather conditions (little wind) or lower demand from customers for gas/heating due to a mild winter. |
|
|
Risks with regard to business performance, control and governance of our participations and recent acquisitions ↑ |
|
|
*) See note 32 of the consolidated financial statements for more information about the control of financial risks |
|
|
|
|
|
Financial reporting |
|
|
Risks in the area of the internal and external financial planning and reporting → |
|
|
|
|
|
Operational – |
|
|
Unauthorised access to and/or changes in IT systems as well as cyber security ↑ |
|
|
|
|
|
Operational - Customers |
|
|
Business continuity interruptions ↓Incidents and/or disruptions in our heating supply, production, trading or customer systems |
|
|
|
|
|
Laws and regulations |
|
|
Non-compliance with laws and regulations → |
|
|
In Control statement
The Board of Management is aware of the responsibility for the adequate and effective functioning of the internal control within Eneco Group.
The Board of Management has also implemented the risk management and control system described in the risk paragraph to ensure that the realisation of strategic, operational and financial objectives is monitored, the reporting on financial and non-financial information is reliable and that laws and regulations are complied with.
However, every internal risk management and control system has its inherent limitations. Therefore, we can never provide absolute assurance that we will realise our business objective or that no material errors, losses, incidents of fraud or violations of laws and regulations will occur.
With regard to financial reporting risks, the Board of Management is of the opinion that the internal risk management and control systems provide a reasonable degree of assurance that the financial reporting is free from material misstatements and that the risk management and control systems have functioned adequately in the reporting year.
As in 2016, the Board of Management paid extra attention in 2017 to the strengthening and formalising of control measures with regard to reporting risks and risks in connection with further digitalisation, including the cyber security risk, following self-assessments of the business units and internal audit. The internal control systems regarding both themes will be further strengthened in 2018, so that we will establish additional safeguards and assurance in these areas.
In addition, extra attention will be paid in 2018 to risks in connection with the internationalisation of our company. These risks have increased in size due to the acquisitions that we made in the reporting year.
Finally, it is worth mentioning that the unbundling between the energy company and the grid operator, which was carried out in the beginning of 2017, proceeded according to plan and did not lead to important shortfalls in the internal control.
sPrevious paragraph:Progress sNext paragraph:
Governance