Risk management

Management and control

Risk management contributes to realising our strategic objectives in a responsible manner. With our risk policy, we carefully weigh which risks Eneco Group is running, which control measures we should implement to counter these risks and we assess the effectiveness of these measures.


The Board of Management is responsible for the risk management of the whole Group. Our risk management is based on the three lines of defence model. This structure ensures that we follow the current good practices with regard to risk management. The Board of Management has delegated the execution of risk management primarily to the directors of the business units (i.e. the first line of defence). Business Control and staff/functional areas such as compliance and security support the business units from the second line of defence. The Group Risk Management department is also part of the second line of defence and translates policy into guidelines and coordinates the risk management process. The Internal Audit function (third line of defence) conducts independent audits and reports the results to the Board of Management and the Audit Committee of the Supervisory Board.

The directors of the business units discuss their risks, risk estimates and the status of measures directed at mitigating and controlling these risk every quarter. The most important risks and measures are reported to the responsible portfolio holder in the Board of Management every quarter in the Business Unit Review. These are consolidated and reported to the Board of Management and the Audit Committee.

The Audit Committee supervises the adequate functioning of the risk management activities. We have laid down the risk limits on a company level in various concrete policy statements, codes and guidelines in areas such as safety, trading mandates, authorisations and conduct. In addition to the quarterly reports, a number of risk management topics were given more specific attention in the Audit Committee in 2017. These topics included the investments in Eni and LichtBlick, an update of the Treasury Charter, the financing requirement in relation to the rating of Eneco Group after the unbundling and cyber security.

Risk and performance management framework

We use the internal Eneco control and risk management system (ECRS), that is based on the COSO ERM framework, the worldwide standard for Enterprise Risk Management. The ECRS comprises a systematic approach for risk assessment, a set of control measures and a self-assessment method with which the management of the business units can determine whether the control measures are effective.

Risk management is an iterative and continuous process and is part of the regular Business Planning Cycle. The business units carry out a thorough analysis of the threats and opportunities at least once a year. For each significant risk, we determine what the possible impact could be on the risk categories Financial, Reputation, Integrity and Safety. We implement control measures that reduce individual risks and by means of financial-strategic projections supported by sensitivity analyses, including single-event stress tests and VaR analyses for the total of all business risks. Risk management systems have been set up on all levels of the organisation which contain specific risk-mitigating measures.

Risk tolerance

Our risk tolerance is divided into risk categories, as defined within Eneco Group:





Injury with alternative work

Injury with absenteeism or hospitalisation

One or more fatalities

Integrity & Compliance

No/limited fraud possibilities

Incidental fraud possible

Large-scale fraud possible


< €1 million

> €1 million

> €10 million

Reputation & Quality

Limited negative image among stakeholders

Decrease in confidence among stakeholders

Structural damage among stakeholders

Risk categories


A lot of attention is paid to safety within Eneco and our risk tolerance is very low. We regard serious incidents (hospitalisation, fatal accidents) as unacceptable.

Integrity & Compliance

The management has a zero-tolerance policy with regard to integrity and compliance risks.


Our risk tolerance is low in general; however, sometimes we have to ‘accept’ a higher financial impact for a risk because the possibility to mitigate this risk is limited (for example the weather risk). In addition, we consciously opt for a higher risk profile in specific areas, such as innovation and transformation. We use sensitivity analyses and stress test to determine whether we are sufficiently robust to deal with negative developments and incidents.

Reputation & Quality

Our risk tolerance is low and where possible we try to avoid any occurrence that could give rise to a negative image of the Group.

Developments in 2017

Business units carry out a self-assessment for the designated key controls at least twice a year. Key controls are control measures that reduce high risks. For controls in the field of IT, financial reporting and financial management information, an ambition on the ‘prove me’ level applies for demonstrability. The number of controls in the field of authorisation management and IT change management were expanded and enhanced in 2017. A further quality improvement with regard to demonstrability is necessary to achieve our ambition level.

The unbundling carried out at the beginning of the reporting year demanded a special effort of the organisation in order to carry this out in a controlled manner. The unbundling of both the IT organisation and the financial administrative side took place without material incidents. Following the unbundling, we adjusted our financial risk tolerance and impact scale to the size of the new organisation.

For the internal supervision and management of our growing portfolio of innovative participations, the Venture Board was established in the past year, with representatives from the Board of Management.


A number of incidents occurred in 2017. We will discuss two major incidents.

Eneco Zakelijk was hit by a ransomware virus in February 2017 due to which the normal business operations were disrupted for two days. The ransomware entered our system via the internet and was activated by a click on a link in an email. The ransomware penetrated the configuration files of our customer system leading to the interruption of customer and invoicing processes. The interruption lasted in total about 36 hours due to back-up recovery and extra controls. This incident and the international increased threat level for the energy sector have led to a significant investment in 2017 in cyber security: extra Microsoft licences, an awareness programme for personnel (Kaspersky) and advance threat protection.

A subcontractor used grit sand that was contaminated with asbestos when carrying out maintenance work at the heating plant Vijfwal in Houten in October. The work at the site was immediately stopped, local residents and the people directly involved were informed. Measurements showed that the asbestos was limited to the site of the power plant. The power plant was taken into operation again after a thorough decontamination of the site.

Reference is made to the paragraph Integrity and compliance in this annual report for reporting on incidents regarding compliance.

Strategic risks

Strategic risks are long-term risks that influence the realisation of our strategic objectives. Based on a stakeholder analysis, we determined which material themes are important for our stakeholders. We then defined the most important strategic risks for each theme.

Material themes

Strategic risks

Living within the limits of the planet


Loss of credibility sustainable image


Uncertain future government policy and regulations with regard to sustainability

Customers participate in the energy transition


Falling behind in the energy transition

Relevant for the customer


Responding insufficiently to our customers’ needs

Employee engagement


Insufficient competencies and employability of personnel

A healthy financial return


Financial return of sustainable generation comes under pressure

Below, we discuss the strategic risks in more detail as well as our mitigating strategies.

‘Energy transition can be accelerated’

Eelco Blok
Loss of credibility sustainable image

Eneco Group's mission is ‘everyone's sustainable energy’, we want to be leading in the energy transition and to be recognised as a sustainable energy company. Our aim is to operate in the future within the limits of our planet and to help our customers, partners and suppliers to do this as well: our One Planet ambition. This ambition has been translated into a CO2 reduction target for our own business operations and growth in sustainable production capacity. This is expressed in external benchmarks such as the NGO ranking in the Netherlands and the Greenpeace ranking in Belgium. In order to protect our image, we choose our suppliers and partners carefully and we apply ‘know your customer’ criteria when accepting commercial customers and counterparties. We also mitigate the risk by means of transparent communication with stakeholders about the progress of the implementation of our strategy.

Uncertain future government policy and regulations with regard to sustainability

Changes in European and/or Dutch regulations can have a big impact in areas such as subsidies, CO2 pricing, market structuring and taxes. Furthermore, when providing our products and services, we have to comply with regulations regarding consumers and with privacy laws. In various ways, Eneco Group is asking for the government's attention for the importance of a stable investment and financing climate that is also aimed at accelerating the sustainability of the energy supply. As a mitigating measure, Eneco Group spreads its sustainable investments over several countries, subsidy schemes and various sustainable technologies (such as wind energy, solar energy, energy storage and energy insight and savings).

Falling behind in the energy transition

The energy market is in the middle of a transition. We see innovations in technology for production, storage, savings and conversion. Of course, this also has consequences for our future revenue model for energy deliveries to households and industries. The risk is that Eneco Group responds to these developments too late or insufficiently, causing our market share to come under pressure and being unable to, for example, achieve our objectives in the growth domain innovative services.

We follow the developments in energy-related markets closely. Which new technologies offer opportunities to fully or partially replace conventional production and regulation capacity and how will this effect the delivery of energy in the future? We see opportunities to increase sustainability in the area of heating, but also in the market for electric transport. This is why we are developing new solutions and business models together with our customers and partners. Eneco Group mitigates this risk further by making innovation budgets and dedicated resources available to review technologies and to start pilot projects. We work together with universities and perform market scans. In this manner, we aim to develop a consistent portfolio of best available technologies.

Responding insufficiently to customers’ needs

Responding insufficiently to customers’ needs with new innovative solutions leads to loss of customers and lower revenues. Internet has made it easier for customers to compare energy suppliers and to switch from one supplier to another. New products and services increasingly have a strong digital and data-driven character. As a result, customer needs are also transforming rapidly in the energy sector, the boundaries of the sector are fading and new entrants see opportunities. As an energy company, we are searching for added value for our customers by integrating renewable production, services and technological developments into total solutions. In addition, we also sometimes combine forces with new entrants for the best solution for the customer. We invest in promising companies that develop services for our customers making use of new technology, such as blockchain, the Internet of Things and data science. In addition, Eneco Group invests in new technologies to improve existing processes such as data analytics. We make use of cloud technology to reduce costs and increase flexibility and Internet of Things technology to carry out targeted maintenance of production facilities.

Insufficient competencies and employability of personnel

Gaps in competencies and reduced employability of management and employees endangers the degree to and the speed at which strategic objectives can be realised. This is why we are working on building a high-performance organisation in which people are the central focal point. Various education, culture and development programmes for management and employees are being rolled out and supported. We develop and implement forms of collaboration that stimulate constant improvement.

Financial return of sustainable generation comes under pressure

The price of electricity and heating is currently largely determined by the price of gas, coal and emissions. However, in the future, as a result of the increasing share of sustainable production capacity, the price of electricity will be determined less and less by these marginal costs of fuels. We work with future scenarios based on possible market regulations and price developments to assess the robustness of our long-term investments in sustainable production facilities.

Development processes for sustainable production often take a number of years. Once they are operational, wind and solar parks can remain in use for decades, whereas we can only fix the delivery price for a limited number of years on the energy trading markets. We will not be able to recoup an investment that we make now when market prices decrease structurally in the future or the costs of balancing on the imbalance market increase. Therefore, our strategy is also directed at building sustainable production facilities with and at the request of our clients (Client Sources).

Operational risks

Below, we discuss our most important operational risks that can still have an estimated remaining impact of >€ 5 million after mitigating measures.

Risk (trend compared with 2016: ↑→↓)

Potential impact

Control measures

Financial position

Creditworthiness ↑

Decrease in the perceived creditworthiness of Eneco, or a rating downgrade

  • Decrease in the willingness of energy trading parties to give Eneco Group uncovered limits on trading positions or an increase in guarantees and other collateral to be provided by Eneco Group
  • Less favourable conditions for access to capital and money markets and (limited) higher interest mark-ups 
  • This risk has increased due to the unbundling of the grid operator
  • Stress testing in particular on key ratios such as FFO/net debt
  • Steering on contract conditions with customers and trading parties
  • Availability of back-up financing and guarantee facilities, to be used in particular in the event of volatile market conditions *)
Spark spread ↑

Lower margin between sales prices of electricity produced by gas-fired power plants and cost price/purchase gas and CO2

  • Approximately € 10 million per year
  • Risk is rising moderately in view of the developments on the trading markets
  • Portfolio management and hedging strategies in the energy trading markets with energy derivatives *)
Profitability sustainable assets →

Lower future revenues due to lower electricity prices or lower market value of green electricity

  • Approximately € 5 to € 10 million per year
  • The Dutch and Belgian subsidy schemes do not eliminate the price risk entirely. The subsidy scheme in the UK has an inherent large price-level sensitivity.
  • Spreading investments over several countries
  • Hedging positions via energy trading markets *); however, the market is only liquid for a limited number of future years.
  • Concluding multi-year client delivery transactions in line with our Client Sources strategy
Weather risk ↑

Lower than average production volume of wind farms due to weather conditions (little wind) or lower demand from customers for gas/heating due to a mild winter.

  • Approximately € 20 to € 40 million on an annual basis
  • The influence of weather on our results increases due to the expansion of our wind production and customer portfolio (heating demand). However, the temperature risk per household is gradually decreasing due to better insulation and other technologies. To a certain extent, the weather risk can be mitigated cost effectively; however, a substantial residual risk remains.
  • Concluding (counter) weather-related purchasing contracts, sales contracts and derivatives *)
  • Use of our gas storage facilities
  • Portfolio management and use of expertise to forecast weather in relation to expected energy supply and demand
  • Using demand-steering mechanisms together with our customers
  • Sourcing of sustainable energy partially via multi-year purchase from third parties (PPAs) instead of own wind farms
Risks with regard to business performance, control and governance of our participations and recent acquisitions ↑
  • Reputation damage and financial loss, of which the impact depends on the scope and the interest that we have. Reputation damage occurs when business objectives are not achieved sufficiently or incidents occur in the area of internal control. Financial impact occurs when anticipated synergy advantages are not realised when acquisitions are consolidated, when claims arise, or when the company is unable to realise growth objectives with acquisitions and participations.
    The size of this risk is increasing as Eneco is accelerating its transition to new revenue models and customer markets by means of an active acquisition policy in the Netherlands and abroad. In addition, we intentionally give our innovative participations more room so that they can innovate and excel faster and accept that an inherently larger risk is attached to these types of participations.
  • We supervise our venture portfolio via the Venture Board.
  • Through its representative seats in supervisory bodies of its participations, Eneco supervises and assesses the policy of the management on business development and internal control
  • Additional requirements apply to participations included in the consolidation, in particular regarding reporting and IT controls, in line with Eneco standards.

*) See note 32 of the consolidated financial statements for more information about the control of financial risks

Financial reporting

Risks in the area of the internal and external financial planning and reporting →
  • Reputation damage, claims and legal proceedings
  • Non-compliant or incorrect reporting
  • Lack of correct, timely and substantiated financial steering information for decision-making by the management
  • The potential impact of this risk will increase in the event of a decision for a shareholders' transaction

  • Keeping financial reporting knowledge up-to-date
  • The internal control and administrative-organisational measures, including our accounting guidelines
  • Procedures for periodic closing, reporting, forecasting and energy balance

Operational –
IT related

Unauthorised access to and/or changes in IT systems as well as cyber security ↑
  • Reputation damage
  • Fraud
  • Financial impact: depending on the nature and seriousness of the incident in question, damage can rise to more than € 1 million
  • In line with the general trend in society, the risk of cyber security incidents is increasing.
  • Signalling and detection techniques for unauthorised access and suspicious activities
  • Awareness training for employees
  • Assurance assessments by third parties (audits and certification)
  • IT change management, policy regarding allocation and cancellation of accounts, corresponding authorisations and application of IT safety protocols.

Operational - Customers

Business continuity interruptions ↓ 

Incidents and/or disruptions in our heating supply, production, trading or customer systems

  • Safety incidents with injury or worse
  • Financial impact: depending on the nature and seriousness of the incident in question, this can rise to more than €5 million
  • Risk has decreased due the unbundling of the grid operator
  • Safety policy and instructions
  • Duplicated IT platform for critical systems
  • Carrying out periodical crisis management and recovery tests
  • Business Interruption Awareness programme rolled out at the business units
  • Maintenance and monitoring of our heating grids and own production units

Laws and regulations

Non-compliance with laws and regulations →
  • Reputation damage
  • Claims
  • Legal proceedings
  • Financial impact: depending on the nature and seriousness of any violations, this can amount to more than €5 million
  • Compliance control frameworks at business units
  • Keeping knowledge about prospective relevant laws up-to-date and sharing this actively with the business via internal media and knowledge sessions

In Control statement

The Board of Management is aware of the responsibility for the adequate and effective functioning of the internal control within Eneco Group.

The Board of Management has also implemented the risk management and control system described in the risk paragraph to ensure that the realisation of strategic, operational and financial objectives is monitored, the reporting on financial and non-financial information is reliable and that laws and regulations are complied with.

However, every internal risk management and control system has its inherent limitations. Therefore, we can never provide absolute assurance that we will realise our business objective or that no material errors, losses, incidents of fraud or violations of laws and regulations will occur.

With regard to financial reporting risks, the Board of Management is of the opinion that the internal risk management and control systems provide a reasonable degree of assurance that the financial reporting is free from material misstatements and that the risk management and control systems have functioned adequately in the reporting year.

As in 2016, the Board of Management paid extra attention in 2017 to the strengthening and formalising of control measures with regard to reporting risks and risks in connection with further digitalisation, including the cyber security risk, following self-assessments of the business units and internal audit. The internal control systems regarding both themes will be further strengthened in 2018, so that we will establish additional safeguards and assurance in these areas.

In addition, extra attention will be paid in 2018 to risks in connection with the internationalisation of our company. These risks have increased in size due to the acquisitions that we made in the reporting year.

Finally, it is worth mentioning that the unbundling between the energy company and the grid operator, which was carried out in the beginning of 2017, proceeded according to plan and did not lead to important shortfalls in the internal control.

sPrevious paragraph:
sNext paragraph: