Enterprise risk management (ERM)
Risk management helps us identify and manage risks to achieve our objectives in a timely manner. Our approach is integrated into the planning and control cycle and regular processes. We promote risk awareness within the organisation and encourage employees to deal consciously with risks.
Risk management is not just about managing risk. We also create and maintain value, improve performance and ensure that Enexis complies with laws and regulations.
We perform risk assessments to identify and analyse risks at all levels of the organisation. We take action based on these risk assessments. Risk management is the responsibility of senior management. Our business controllers, Internal Audit & Risk (IA&R) and other staff functions support them. The group risk managers in the IA&R department coordinate and facilitate the risk management processes.
Risk model
Enexis uses the global risk management standards of the COSO ERM model and the Three Lines Model for risk management. Last year, based on a roadmap, we raised the level of risk management within Enexis and initiated a shift in focus from process to business. We can see that this process is beginning to bear fruit in the improved quality of dialogue between the first and second lines and between the second and third lines. In addition, our group risk managers and internal auditors are increasingly being asked to to thinking along solving operational issues.
We have divided our risk management processes into strategic and operational risk management. The outcomes of the strategic and operational risk analysis are reported to and discussed in the Audit Committee or the SB. This process enables the EB to issue a board statement.
Operational risk management
Through operational risk analysis, we identify risks at tactical and operational levels that pose a threat to Enexis' business processes. In doing so, we take into account the risks arising from periodic compliance, privacy, security and data management analyses. We aim to document risks and measures exceeding Enexis' risk appetite in our internal control framework (ICF).
Management evaluates the functioning of the most important control measures twice a year using a Control Self-Assessment (CSA). In this self-assessment, managers examine the extent to which risks are mitigated. Divisional management evaluates the results of the CSA and, if necessary, adds them to the internal Letter of Representation (LOR). In this way, the departments and the EB indicate the extent to which the internal risk management and control systems are adequate.
In addition to the hard controls in the ICF, we also pay attention to soft controls. The soft controls pertain to integrity, engagement, and collaboration. Our internal integrity committee pays attention to integrity, performs a fraud risk analysis periodically, and discusses the control of fraud risks.
Operational and tactical risk management within Enexis focuses on identifying events that may pose a risk to achieving our objectives and controlling these risks in a timely manner.
Strategic risk management
In our strategic risk analysis, we identify events that threaten the continuity of Enexis or the achievement of its strategic objectives. If an event occurs, but the impact and degree of control are uncertain, we treat such an event as a strategic risk.
Each year, the departments make an inventory of the strategic risks relevant to their department and describe these risks on a risk card. The risks identified are then analysed and quantified. This means we assess the likelihood of an event occurring and the impact of that event on one or more business values. For this purpose, we use a risk matrix that specifies Enexis’ risk appetite for each business value. We then aggregate comparable risks at group level. The EB discusses and evaluates these aggregated risks.
Risks with a ‘high’ score exceed the risk appetite. We take action to reduce these risks to at least ‘medium’. For risks with a ‘medium’ score, management determines whether action is required.
Each strategic risk has an owner. This owner is responsible for taking appropriate action and monitoring the development of the risk. The measures are integrated into the divisions’ business plans. Management monitors the risks and the effectiveness of the measures through the planning and control cycle. The development of key strategic risks is regularly reported to the EB by the risk owners.
Strategic risks
Strategic risks are described below. Specific risks related to financial instruments are described in the notes to the financial statements.
A Customer demand cannot be met due to a shortage of personnel, materials and/or grid capacity
This is the risk we face
The growing demand for electricity due to the energy transition is causing capacity problems in our grids and a lot of extra work. The demand for grid capacity regularly exceeds the transmission capacity of the grid. Grid capacity shortages lead to disputes with customers and slow down the energy transition. Increasing the transmission capacity of the high-voltage grids, in particular, requires a lot of capacity and time.
The pressure on the available personnel is structurally very high, both at Enexis and at our contractors. In addition, we also face an increase in employee turnover. We can only partially compensate for the shortage of personnel by working more efficiently.
It is a challenge to meet the demand for materials at the right time due to the increasing fluctuations in demand and the conditions in the procurement market. Our forecasting and planning capabilities are not always adequate. As a result, the materials needed to complete the work package are not always available on time.
This is how we reduce the risk
By proactively investing on the basis of Regional Energy Strategies (RES), Cluster Energy Strategies (CES) and pMIEK (Provincial Multi-Year Programmes Energy and Climate), Enexis anticipates future developments in the grid.
We aim to avoid congestion through various measures. One approach is directing the growth of renewable energy producers and customers to areas where there is still transmission capacity on the grid. Congestion management remains a necessary measure. The development of flex products is another. These include the Capacity Reduction Contract, designed to reduce congestion, and the Non-Firm Connection Agreement (NFA 2.0), in which fixed return of energy is not always guaranteed.
Through the Sufficiently Skilled Personnel programme, we are continuously working to attract new employees and retain existing talent. In the coming period, the focus will remain on reorganising work processes and increasing our capacity to train and mentor (new) employees. The programme also explores new ways of recruiting and (digital) training. This also applies to the contractors we work with.
To ensure the future availability of materials and components, we are implementing long-term planning. Our efforts include standardisation, innovation, strategic inventory management and improved planning. We are also working on process harmonisation, supplier management development and component chain optimisation. In the supply chain, we are committed to achieving ‘On Time In Full’ delivery.
This is how high we estimate the risk
Our risk assessment is the same as last year. Managing the impact of labour, energy and material shortages remains a major challenge. We consider this to be our most critical strategic risk.
B Unauthorised use of data and/or systems not being available due to inadequate security measures (ICT/OT)
This is the risk we face
The activities of hackers and cybercriminals, such as phishing and ransomware attacks, pose a significant threat. Unauthorised access to our systems and data can result in data breaches, regulatory non-compliance (AVG and Wbni) and business continuity incidents. For example, unauthorised access to our physical network could jeopardise the power supply. The increasing digitalisation of our operations and networks also makes us more vulnerable to external breaches.
In addition, the growing reliance on cloud services introduces additional risks, particularly if platforms and systems experience prolonged downtime. Prolonged outages, the inability to scale cloud services or even the loss of service providers could severely impact Enexis’ operations.
Looking ahead, we are also considering the impact of powerful quantum computers. In the near future, these machines will have enough computing power to break today’s strongest cryptographic algorithms, potentially creating new security risks and data vulnerabilities.
This is how we reduce the risk
We are implementing an Enexis-wide security roadmap that includes a wide range of measures. These include our strategic information security policy, a centralised information security management system (ISMS), the establishment of third-party risk management, the implementation of the IAM control model and the tightening of patch management. We also conduct ongoing security awareness initiatives, regular ransomware readiness assessments and NBA maturity assessments. The Digital Security Steering Committee oversees these efforts across Enexis.
In Operational Technology (OT), a dedicated OT security organisation is responsible for specific OT security measures. This includes maintaining an advanced security monitoring tool to detect anomalous network traffic, conducting regular security assessments, implementing anti-malware solutions for both centralised and decentralised OT systems, and ensuring ISO 27001 certification for the OT domain.
We have implemented business continuity management measures to mitigate the risk of major IT system failures. In the event of an incident, we take immediate action to facilitate faster recovery. These include disaster recovery plans, which are regularly tested in simulated exercises with other departments.
Given the growing threat of data decryption by quantum computers, we have developed a policy/standard that defines which cryptographic algorithms are permitted and which are not. We continue to focus on quality improvement, IT risk management and emerging risks related to quantum technology.
This is how high we estimate the risk
Compared to 2023, we consider the probability to be higher. Our baseline measures continue to improve, and we are significantly expanding our security-related activities. At the same time, the overall threat landscape is growing, partly due to geopolitical developments.
C Accidents suffered by employees or bystanders due to unsafe situations or asset failures
This is the risk we face
Working on electricity grids carries inherent risks to the safety and health of employees and bystanders. Due to the nature of the primary processes, such as working on electricity and gas infrastructure and working in public spaces, there is always the possibility of accidents or health impacts for employees. Equipment failure or material defects can also pose serious safety risks to workers and bystanders.
Staff shortages and the loss of experienced workers affect the quality of work, increase workloads and can increase safety risks. Safety is also an issue when work is outsourced to contractors or when working with non-native or foreign parties.
This is how we reduce the risk
Safety is a top priority at Enexis. For years, we have been running the ‘Safety on 1’ campaign to raise and maintain awareness of the importance of safety among all employees. We closely monitor the safety performance of our contractors and are placing greater emphasis on following up workplace dialogues. We also have an ongoing programme to reduce the number of times we work without gas or electricity.
We continually assess the risk of unsafe situations in our electricity and gas grids. We follow a structured maintenance and replacement policy to minimise these risks. The Excavation Damage Prevention Team oversees the prevention of damage caused by third-party excavations, with a particular focus on fibre optic companies due to the relatively high risk of damage during fibre optic cable installation. To ensure the safety of smart meters, each batch is thoroughly tested and inspected before deployment.
This is how high we estimate the risk
Our assessment of this risk remains unchanged from last year. We do not see any developments in the area of security that would warrant a different assessment. Safety remains a top priority and continues to receive our full attention.
D Large-scale interruptions of the energy supply
This is the risk we face
Natural disasters such as earthquakes and floods, or deliberate acts, can severely disrupt our grids, leading to prolonged and widespread power outages. The increasing load on our electricity network also increases the likelihood of significant outages.
In addition, the medium-voltage and low-voltage grid is under increasing pressure, mainly due to the growing number of solar panels on household roofs. This is leading to an increasing number of minor power interruptions.
This is how we reduce the risk
Enexis has a comprehensive maintenance and replacement policy to minimise the risk of major incidents. We have spare equipment available for rapid deployment in an emergency. Our contingency plans are continuously improved based on real-life crisis experience, and we conduct regular crisis drills. We also have specific measures to address the risks of tele-vulnerability and flooding. Outages are systematically recorded and analysed to take preventive measures. We also closely monitor international developments and their potential impact on Enexis.
We continue to invest proactively in strengthening our medium-voltage and low-voltage grids. To this end, we have launched two major projects that require intensive coordination with all stakeholders. The use of network redundancy and backup facilities also helps to minimise outages.
Annual Outage Time (AOT) is a key performance indicator for Enexis. Our asset management and production teams work every day to keep it as low as possible.
This is how high we estimate the risk
We are constantly pushing the limits of our grid, which increases the risk of major outages. In addition, as our grid becomes more congested, the likelihood of regular minor outages increases.
E Deteriorating financial position due to interest rate and price effects
This is the risk we face
Developments in interest rates, energy prices, inflation, raw materials and exchange rates affect our results, financial ratios and, consequently, Enexis’ financing capacity. These fluctuations may limit our ability to secure financing, which may increase the need for equity capital for the same business activities. In particular, price risks related to interest rates and energy prices, especially in relation to the purchase of grid losses, could significantly increase the need for additional equity.
This is how we reduce the risk
To manage interest rate risk, Enexis has several instruments at its disposal and we continue to closely monitor the possible effects of interest rate developments.
Exposure to commodity price risks increases with the size of Enexis. This risk is currently not actively managed. The risk of grid losses for electricity and gas is hedged until 2031 by securing specific purchase volumes.
This is how high we estimate the risk
The company will continue to be exposed to this risk in the future. Past fluctuations in interest rates are no guarantee of stability, and significant changes may still occur.
F Enexis is insufficiently agile to implement complex and profound change
This is the risk we face
Uncertainty about customer demand remains high. See also risk A. There is a risk that our targets could be jeopardised if our customer processes do not adapt quickly enough. This includes targets in areas such as implementation, congestion reporting, capacity release, congestion management contracts and customer satisfaction. A lack of agility could also undermine our decisiveness and reliability, placing significant demands on the organisation and its people to adapt.
While we have the ambition to change and accelerate, the complexity of the processes means that this does not always happen as quickly as we would like. The market facilitation chain operates in a rapidly evolving landscape that we, as Enexis, must be able to anticipate.
This is how we reduce the risk
As part of a chain plan for High-volume consumers & Grids, we are working on improved processes and products, supported by a Product Board and an associated product portfolio.
Relationship management is an important focus. We have a dedicated congestion team and work closely with various stakeholders in the sector. Enexis is actively involved in sector-wide programmes with strong programme management aimed at simplifying governance and optimising resource use. Plans to intensify this cooperation are being developed and implemented.
We are also pushing ahead with the implementation of the decision on the Congestion Management Code. In addition, we are developing a Consideration Framework to determine which contracts can be offered in 2025 within the limited contracting opportunities available.
To enhance the agility of our workforce, leadership development remains a strategic priority. The Future Fit Leadership programme will be extended to middle management. Through initiatives such as leadership programmes and the personal assessment and development programme, we encourage management and employees to be more agile, bold and innovative. Our recruitment, management development and employee vitality policies deliberately emphasise agility and decisiveness as essential skills.
To improve employee adaptability, we will emphasise sustainable employability, career development and a positive work experience, as well as smart and innovative training methods.
This is how high we estimate the risk
We consider this risk to be higher than last year. The rapid succession of external and internal developments and the required annual increase in workload challenge our ability to adapt and implement change effectively.
G Reputational damage as a result of our failure to respond appropriately to complaints and to offer customers a course of action
This is the risk we face
Customers and stakeholders want clarity and direction to help them achieve their goals. However, we cannot always provide the level of transparency they expect. There are uncertainties in planning and executing network investments, and new products or technical solutions need to be developed. Wherever possible, we involve stakeholders in shaping future plans, but this close collaboration can create expectations that we cannot always meet.
Negative events or reports about other players in the industry can also harm Enexis’ reputation. These uncertainties increase the risk of complaints, claims, reputational damage and even potential debates about our licence to operate. There is a risk that we may not respond quickly or appropriately when such situations arise.
This is how we reduce the risk
Within Enexis and within the sector (Netbeheer Nederland), we are working to improve transparency, particularly concerning waiting lists and timescales for restoring capacity. Initiatives are underway to improve communication and customer service, such as more personalised customer service, communicating the ‘new reality’, digital walk-in advice, setting up a Product Board and product portfolio, webinars and scenarios for businesses (sites).
We have placed greater emphasis on managing stakeholder expectations. In each province, we are working through task forces to discuss the Provincial Multi-Year Infrastructure, Energy and Climate Programme (pMIEK), focusing on prioritisation and programming. A Future Energy System Campaign is also underway to engage stakeholders in our activities and explain their implications.
Our broader communications efforts include the ongoing involvement of communications consultants and proactive monitoring of stakeholder relationships. We continuously improve the skills of our employees through training, particularly in areas such as social security, and maintain a well-structured crisis communication framework to ensure timely, open and transparent communication in critical situations.
Sector-wide, we are developing a communications framework to manage expectations better. This includes educating customers about the requirements of a future-proof energy system, such as increased flexibility in energy use. We are also focusing on strengthening our public image by explaining our role and the important work we are doing to drive the energy transition. We are also improving the transparency of information on new products, including through government portals that provide maps and neighbourhood proposals.
This is how high we estimate the risk
Our risk assessment remains unchanged from last year. Media attention continues to increase, but we have also improved our ability to communicate promptly and transparently. Overall, the level of risk remains the same.
H Limitations and uncertainties regarding regulations and permit processes
This is the risk we face
Existing laws and regulations, as well as uncertainties surrounding new legislation, hinder or could hinder our ability to respond effectively and quickly to customer demand and grid expansion.
The energy system of the future requires space, both above and below ground. However, spatial challenges mean that Enexis cannot build network infrastructure fast enough. The spatial aspects of energy supply are often considered late in the planning process, and the length of planning procedures threatens to become a major bottleneck for grid expansion. We are in close contact with municipalities and are actively sharing best practices in the hope that they can be replicated elsewhere.
Litigation is also on the rise. Disputes often arise when we are unable to meet (statutory) connection deadlines or when we have to refuse requested transmission capacity. The legal framework for new products remains underdeveloped and complex, leading to different interpretations of new regulations. This causes dissatisfaction in society and requires additional resources from Enexis to develop solutions, mediate with customers and prevent legal action.
Another challenge is our dependence on Dutch policy-making. Slow legislative processes and changing regulatory frameworks make it difficult for Enexis to define a stable long-term strategy. This unpredictability and delay in decision-making may have a negative impact on the development of long-term solutions.
This is how we reduce the risk
The Chain Optimisation Spatial Planning (in dutch: KORO) programme ensures that spatial planning does not become an obstacle to our goals. This programme focuses on improving the quality of the spatial planning chain, increasing predictability and reducing lead times.
Corporate & Legal Affairs (CLA) plays a key role in implementing congestion management to increase available transmission capacity. CLA also contributes to the development and implementation of Flex products. Improvements in evidence support for congestion-related legal cases are being evaluated and standardised. In addition, relevant case law will be analysed and conclusions shared with operations and management to improve processes.
To better understand the legal and regulatory framework affecting our industry, we maintain close contact with the government, both directly and through industry partnerships.
This is how high we estimate the risk
This risk comprises three combined risks: ‘Spatial planning’, ‘Increasing litigation due to scarcity’ and ‘Delays and changes in laws and regulations’. The first risk, in particular, is becoming increasingly apparent in the production process. As a result, we consider the risk to be higher than last year.
I Poor data quality leads to unreliable (future) management information
This is the risk we face
The accuracy, completeness and timely availability of data is essential for Enexis. This data is needed in our daily processes for the preparation of accountability information (such as the annual report) and for management.
In the future, we will increasingly use forecasting models to try to predict developments. The better the quality of the data, the more reliable the results.
This is how we reduce the risk
Our data governance structure and processes ensure that data owners and managers are involved in providing the data for which they are responsible. This ensures that the data is adequately represented and that interpretations of the data are correct.
In recent years, we have worked to achieve a higher level of data maturity. We proactively identify and document our key business data. After assessing the quality, we determine which data is up to standard and which is not. Based on this, we determine what is needed to improve the quality and formulate actions.
We also build our metadata framework and data quality framework to ensure that our data is organised so that all our resources, techniques and processes work together as a consistent data ecosystem.
This is how high we estimate the risk
This is a new risk that has been identified as strategic. As the use of data in forecasting models increases, so do the demands on data quality. Although we currently rate the risk as medium (in terms of probability and impact), we anticipate that data quality risks will only increase in importance over the coming years.