Enterprise Risk Management (ERM)
Risk management helps us to identify and control risks timely so that we can realise our objectives. Our approach is integrated in the planning and control cycle and in the processes. We stimulate risk awareness within the organisation and encourage employees to deal carefully with risks.
With risk management, we not only control risks, we also create and maintain value, improve performance, and provide the certainty that we comply with laws and regulations.
We use risk assessments to identify and analyse risks at all levels within the organisation. We take measures based on these risk assessments. Management is responsible for risk management and is supported by our business controllers and other staff functions. The group risk managers of the IA&R department coordinate and facilitate the risk management processes.
Risk model
Enexis uses the global risk management standards of the COSO ERM model and the Three Lines Model for risk management. Based on the external assessment of our risk management processes in 2022, we have drawn up a risk roadmap with the objective of taking risk management to an even higher level within Enexis and to transition from a process- to a business-oriented approach. As part of this assessment, the specific requirements of all departments in the area of risk management were examined. In addition, we aligned the governance of the risk management process with the organisation's requirements.
We have divided our risk management processes in strategic and operational risk management. The outcomes of this strategic and operational risk analysis are reported to and discussed in the Audit Committee or the SB. This process enables the EB to issue its Board Statement.
Operational risk management
Via operational risk analyses, we identify risks at tactical and operational levels that constitute a threat to Enexis' business processes. Hereby we take into account the risks that have arisen from periodic compliance, privacy, security, and data management analyses. We aim to document risks and measures that exceed Enexis' risk appetite integrally in our internal control framework (ICF).
Management assesses the functioning of the most important control measures twice a year, via a Control Self-Assessment (CSA). In this self-assessment, Managers examine to what extent risks are controlled. The department management weighs the outcomes of the CSA and, if necessary, adds these to the Internal Letter of Representation (LOR). In this manner, the departments and the EB indicate the extent to which the internal risk management and control systems are adequate.
In addition to the hard controls in the ICF, we also pay attention to soft controls. The soft controls pertain to integrity, engagement, and collaboration. Our internal integrity committee pays attention to integrity, performs a fraud risk analysis periodically, and discusses the control of fraud risks.
Operational and tactical risk management within Enexis focuses on the timely identification of events that can form a risk for achieving our goals and on controlling these risks.
Strategic risk management
In our strategic risk analysis, we identify events that threaten Enexis' continuity or the realisation of its strategic objectives. When an event actually occurs, but the impact and degree of control are uncertain, we continue to treat such an event as a strategic risk.
Departments identify inventory every year the strategic risks that are relevant for their department and describe these risks on a risk card. Thereafter, the identified risks are analysed and quantified. We then estimate the likelihood that an event could occur and the impact of this event on one or several business values. To this end, we make use of a risk matrix which specifies Enexis' risk appetite for each business value. We then cluster comparable risks on a group level. The EB discusses and values these clustered risks.
Risks with a ‘high’ score exceed the risk appetite. We take measures for these risks, with the aim that these risks are at least reduced to ‘medium’. Management determines whether measures are necessary for risks with a 'medium’ score.
Each strategic risk has an owner. This owner is responsible for taking adequate measures and monitors the development of the risk. The measures are incorporated in the business plans of the departments. Management monitors the risks and the effectiveness of the measures via the planning and control cycle. The development of the most important strategic risks is reported to the EB periodically by the risk owners.
The strategic risks are described below. Specific risks relating to financial instruments are described in the financial statements.
A. Customer demand cannot be met timely due to a shortage of personnel, materials, and/or grid capacity
We run this risk
The growing demand for electricity as a result of the energy transition leads to capacity problems in our grids as well as to a lot of extra work. The demand for grid capacity regularly exceeds the transmission capacity of the grid. Grid capacity shortages lead to disputes with customers and are slowing down the energy transition. Increasing the transmission capacity of, in particular, the high-voltage grids requires a lot of capacity and time.
The pressure on the available personnel is structurally very high at both Enexis and our contractors. In addition, we are also being confronted with an increase in employee turnover. We can only partially compensate for the shortage of personnel by working on increasing efficiency.
It is a challenge to meet the materials requirement at the right time due to the increasing fluctuations in demand and the circumstances on the purchasing market. Our ability to forecast and plan is not always adequate. As a consequence, the materials required for the execution of the work package are not always available on time.
This is how we reduce the risk
On the one hand, we channel the demand and, on the other hand, we increase production.
By investing proactively based on the Regional Energy Strategies (RES), Cluster Energy Strategies (CES), and pMIEK (Provincial Multi-year programmes Energy and Climate), Enexis anticipates future developments in the grid. Enexis tries to steer the growth of the demand of renewable energy producers and consumers in the direction of areas where transmission capacity is still available on the grid. The roll-out of congestion management remains an important measure in this.
At the same time, many measures taken were aimed at better coordination and communication with our customers, see risk G (reputation damage because we do not react adequately to complaints and are not able to offer any action perspective to customers).
We have been working for some time on stimulating the inflow of new employees and limiting the outflow. Furthermore, in the coming period, the emphasis will lie, in particular, on organising the work differently and taking a more modular approach to training. We do this, for example, via the programme Sufficient Skilled Personnel.
We aim to improve the future availability of components by working with long-term plans. We are working on standardising components, strategic inventory management, and are in constant contact with the suppliers’ market so that we are better able to respond in a flexible manner. In the supply chain, we are steering on the On Time In Full principle.
This is how high we estimate the risk
The impact of this risk has risen; controlling the impact of the shortage of personnel, electricity grid capacity, and materials is becoming more and more of a challenge.
More general information about the growing customer demand and shortages can be found in the sections Together towards a future-proof energy system, Working on increasing grid capacity and Communicating transparently about what is possible.
B. Unauthorised use of data and/or systems not being available due to inadequate security measures(ICT/OT)
We run this risk
The activities of hackers and cybercriminals (phishing and ransomware attacks) constitute a major threat. Unauthorised access to our systems and data can lead to incidents with regard to data security, business continuity, and compliance (General Data Protection Regulation and the Dutch Security of Network and Information Systems Act). As a result of digitalisation, our grids are increasingly vulnerable to cyberattacks.
Due to the increasing dependence on cloud services, risks also arise when platforms and systems in the cloud are not available for longer periods of time. Long-lasting interruptions or even the discontinuation of service providers have a large impact on Enexis work processes.
A new element is the increasing development of powerful quantum computers. These computers will have sufficient computing power in the near future to crack our cryptographic algorithms that we currently consider to be strong, which can lead to new security risks.
This is how we reduce the risk
We work with an Enexis-wide security roadmap, with a wide range of measures. In addition, we are developing a strategic information security system and an information security management system (ISMS) is being set up centrally. We are continuously performing assessments on security awareness, ransomware readiness, and NBA maturity.
A Security Operations Centre has been set up within the IT department. IT uses penetration tests and automated security scanning on the primary ICT internet systems. Various activities have been initiated to get and maintain a grip on Identity & Access Management. Furthermore, we also have continuity management measures in place to prevent large-scale outages of IT systems (for example, drawing up disaster recovery plans, performing periodic recovery tests, and actively monitoring periodic assurance statements).
An Operational Technology (OT) security organisation is active in the OT field. This organisation is tasked with specific OT security measures such as the implementation of advanced security monitoring tools to signal deviations in network traffic, periodic security assessments, anti-malware for centralised and decentralised OT systems, and an ISO 27001 certification for the OT domain.
In view of the threat of decryption of data by quantum computers, we have developed guidelines which prescribe which cryptographic algorithms are or are not permitted. We identify the risks that Enexis is running in the area of quantum threats and the cryptography used by Enexis.
This is how high we estimate the risk
The probability has remained the same as, on the one hand, our basic measures are increasingly in order and we have initiated more and more activities in the field of security. However, on the other hand, we are being confronted with increasingly large threats.
More context about this risk can be found in section Working on increasing grid capacity, more specifically in the paragraph Safeguarding digital security.
C. Accidents suffered by employees and/or bystanders due to unsafe situations and/or asset failures
We run this risk
Work on the energy grids exposes our employees and bystanders to safety or health risks. Due to the nature of our primary processes (working on electricity and gas infrastructure and working in public spaces), the probability of an accident or damage to the health of employees is an ever-present risk. Asset failures or material failures can also have serious safety consequences for employees and bystanders.
Personnel shortages and the outflow of experienced employees (for example, due to retirement) have an impact on workmanship and leads to a higher workload and thus to a higher safety risk. When outsourcing work to contractors or employing non-Dutch speakers or foreign parties, we also have to pay extra attention to safety.
This is how we reduce the risk
Enexis gives top priority to safety. We are working on increasing the safety awareness and alertness of both personnel and management. We take the safety performance of our contractors into account and we pay extra attention to a correct follow-up of the ‘workplace dialogue’. In addition, we have also launched the programme “working voltage-free and gas-free is the standard”.
We analyse the risk of unsafe situations in our electricity and gas grids on a continual basis. We have an adequate maintenance and replacement policy in order to limit the probability of unsafe situations for third parties as much as possible. To ensure the safety of smart meters, we test and check each cargo of smart meters.
With regard to safety, it is our ambition to continue to grow to step 4 on the Safety Culture Ladder.
This is how high we estimate the risk
The valuation of this risk has not changed compared to last year. On the one hand, we are taking steps in the area of safety, on the other hand, we see increasing pressure on our activities. Therefore, overall, we do not see any developments that provide a reason for a different positioning.
More general background information about safety can be found in the section Working safely and strengthening each other.
D. Large-scale interruptions of the energy supply
We run this risk
As a consequence of natural disasters (for example earthquakes, floods, etc.) or due to deliberate wrongdoing, severe disruptions can occur in our grids, resulting in prolonged and large-scale interruptions in the energy supply. The probability of large-scale interruptions is also increasing due to the growing demand and the resulting overload of our electricity grid.
Furthermore, the risk of a shortage of gas continues to exist. This can lead to large-scale and prolonged interruptions of the energy and/or gas supply to customers.
This is how we reduce the risk
Enexis has an adequate maintenance and replacement policy in place to limit the probability of large disasters as much as possible. We have replacement assets that we can employ quickly in emergency situations. We are constantly fine-tuning our crisis management plans following the occurrence of actual crises and we regularly hold crisis drills. We have specific measures in place for earthquakes and floods. We also continue to monitor international developments and potential consequences for Enexis.
This is how high we estimate the risk
We are increasingly testing the limits of our grid. As a result, we see an increase in the likelihood of interruptions.
More context about this risk can be found in section Working on increasing grid capacity, more specifically in the paragraph Energy supply is reliable.
E. Deterioration of our financial position due to price effects and effects of the energy transition and regulation method
We run this risk
The electricity regulation method is not geared to the growing investments and operating costs in connection with the energy transition. As a consequence, the costs are not compensated timely and completely. This means that Enexis is being confronted with a significant extra capital requirement, which puts pressure on its financial ratios and investment capacity.
Interest rate, inflation, energy prices, raw materials, and currency developments can impact Enexis’s ability to finance its activities. These developments can have such an impact on our results and ratios that this would limit our financing capacity. In particular, the price risks relating to interest rates and energy prices (in connection with purchasing grid losses) could lead to a considerable extra equity capital requirement.
This is how we reduce the risk
Enexis is taking action in various areas to improve its ability to finance the energy transition. The financing issue is being discussed with multiple stakeholders and we are working on internal efficiency improvements. In this context, we are constantly in contact with the ACM to discuss the future of the regulation.
The manner in which we aim to control the interest rate risk is described in the Treasury Statute. A Financial Risk Committee has been set up. The risk in connection with electricity and gas grid losses has been actively hedged up to and including 2026 by purchasing the required volume. The exposure to raw materials price risks and currency risks in connection with purchasing have been further examined and elaborated. These risks appear to be relatively limited.
This is how high we estimate the risk
This risk has remained unchanged. Although we won the appeal via the Trade and Industry Appeals Tribunal (CBb) regarding the setting of the tariffs, we will still have to pre-finance a significant share of the energy transition.
More information about our increased costs can be found in the section Communicating transparently about what is possible and more specifically the paragraph Significant increase in grid tariffs.
F. Enexis is insufficiently agile to execute complex and profound change processes
We run this risk
The uncertainties around customer demand are large (see also risk A). The risk exists that when we are unable to adapt our customer processes fast enough and we are unable to realise our goals in the area of realisation, contracting flex capacity, and other new products on time. If we are not sufficiently agile, this can undermine our effectiveness and reliability. This demands a lot of our organisation's and our employees’ change capacity.
We have the desire to change and accelerate, but it is often not possible to do this fast enough due to the complexity of processes. The playing field is also changing rapidly in the market facilitation chain. As grid operators, we have to be able to anticipate these changes, for example, the new Energy Act and facilitating flexibility markets and congestion management.
This is how we reduce the risk
Based on a chain plan, we improve processes and products, with a product board and accompanying product portfolio. Relationship management was restructured with a specific congestion/flex team. We are working together intensively in the sector, with interest groups and the ACM to arrive at better regulations, a clear definition of ‘reasonable term’, and the implementation of 'societal prioritisation’.
There are sector programmes in which Enexis is represented with strong programme steering and aimed at simplification of governance and smarter use of resources.
The development of leadership skills is a strategic initiative to increase the agility of employees. Our leaders and employees are stimulated via various initiatives to work more agile, to show more courage, and to think more creatively. We pay explicit attention in our recruitment, management development, and vitality policy to the skills agility and showing courage.
This is how high we estimate the risk
The pace of the developments resulting from the energy transition continues to accelerate. As a consequence, the likelihood that we are insufficiently agile increases and hinders us in implementing complex and fundamental changes.
More general background information about this risk can be found in the section Communicating transparently about what is possible.
G. Reputation damage because we do not react adequately to complaints and do not offer customers an action perspective
We run this risk
Customers and stakeholders are looking for a perspective to realise their own objectives. However, we are not always able to offer the requested transparency. Planning and realisation of grid investments are uncertain. New products or technical solutions have to be developed. We try as much as possible to draw up plans for the future together with our stakeholders. This intensive collaboration leads to expectations that we are not always able to meet.
A negative impact on the image of Enexis can also arise in a more generic manner as a consequence of other identified risks or negative news about other players in the sector. Due to all these uncertainties, the likelihood of complaints, claims, and reputation damage is increasing and can even possibly lead to the questioning of our ‘licence to operate’.
This is how we reduce the risk
Internally and in the sector (Netbeheer Nederland), we are working on more transparency vis-à-vis our stakeholders with regard to insight into waiting lists and an action perspective (when will capacity become available). There are initiatives to improve our communication and customer service, such as more customisation in customer service, communicating 'the new reality', a digital walk-in consultation hour, setting up a productboard and productportfolio, webinars, and manuals for businesses and business parks.
In addition, there is also more attention for stakeholder expectation management. We work together in task forces per province where the pMIEKs (Provincial Multi-year programmes Energy and Climate) are discussed aimed at prioritising and programming. We are working on an Energy System of the Future campaign in which we inform stakeholders about what we are doing and what this means.
We also have more generic communication measures in place. Externally, our communication advisers have good contacts with the business community and we monitor our relationship with stakeholders. Internally, we have an effective structure in place for crisis communication, so that we can communicate quickly, openly and transparently in the event of a crisis.
Sector-wide, we are working on campaigns to increase awareness among customers of their own role in the efficient use of the electricity grid. In addition, we continue to work on a reputation buffers and a positive image by explaining what our role is and showing how much work we are carrying out to realise the energy transition and also drawing attention to our innovations and solutions.
This is how high we estimate the risk
Last year, this risk was part of risk A (consequences of shortages). We are now classifying this risk as separate risk due to the specific characteristics of this risk and because we see this risk manifesting itself more explicitly.
More general context about this risk can be found in the sections Together towards a future-proof energy system and Communicating transparently about what is possible.
H. Limitations and uncertainties regulations and permit processes
We run this risk
Existing laws and regulations and uncertainties about new legislation make it difficult or could make it difficult for us to react adequately and quickly to customer demand and expansion of the grid:
For instance, there are restrictions for expansions in the vicinity of ‘Natura 2000’ areas. In these areas, nitrogen emissions must be limited or compensated. As a result, we must make nitrogen calculations for all our projects and identify measures to remain below the permitted nitrogen emissions.
Due to problems with spatial integration, Enexis cannot build additional grid infrastructure fast enough. The energy system of the future requires space above ground and below ground. When drawing up plans, the spatial aspects of the energy supply are often only taken into account in a later stage. Planning procedures and the accompanying processing times are threatening to become an important delaying factor in grid expansions.
We see increasing litigation in connection with the feasibility challenge that grid operators are facing. Legal procedures are regularly being initiated if we deviate from (statutory) connection periods or if we have to refuse the requested transmission capacity. In addition, the legal structure of new products is still uncharted and complex. We are encountering varying interpretations of new laws and regulations. This is leading to dissatisfaction in society and demands more capacity/costs from Enexis to come up with new solutions, help find solutions together with customers, avoid - if possible - legal proceedings, deal with court cases and stakeholder and reputation management.
A fourth element is the risk of a political impasse in the Netherlands. The formation of a new cabinet can lead to a delay in the decision-making or to changes in laws and regulations. There is a risk that a new cabinet will opt for a new course of action in energy and other dossiers. This unpredictability and delays in the decision-making can have consequences for the development of long-term solutions.
This is how we reduce the risk
A large number of measures have been taken or are being prepared with regard to the four aforementioned topics.
Analyses have been performed on the bottlenecks in connection with nitrogen emissions by the Ruimte & Recht (R&R) department for the whole portfolio. We make use of a nitrogen calculation model. Based on the analyses, possible actions come to the fore and we are elaborating scenarios to limit emissions. The Steering Group Nitrogen takes decisions regarding where we can limit emissions. Where this is possible and necessary, we will build emission-free.
To avoid increasing litigation, our Corporate & Legal Affairs (CLA) department is closely involved in, for example, the roll-out of congestion management and the development of flex products, and alternative transmission rights. In the event of legal developments, the internal and external coordination (at the level of TenneT) has been intensified. In this manner, we are better able to build up a body of evidence to substantiate the congestion issue.
To avoid a political impasse or delays in essential laws and regulations for the sector, we have direct contact and contact via the sector with the Dutch government.
This is how high we estimate the risk
This concerns a combination of four new risks, i.e., "Limiting nitrogen emissions’, ‘Spatial planning’, ‘Delays and changes in laws and regulations’ and ‘Legal complexity new products'. In particular, the first two risks are becoming increasingly manifest in the production process.
More context, in particular, about the permit factory and various new products can be found in the section Working on increasing grid capacity.