Risk management

The Leonardo risk governance, in line with the Corporate Governance Code adopted by Listed companies, the Organization, Management and Control Model as per Leg. Decree 231/01 and the Leonardo’s Anti-Corruption Code, as well as in line with national and international standards and best practices, provides that:

  • Board of Directors oversees internal control and risk management system and defines its guidelines so that the main risks are correctly identified, assessed, managed and monitored in an adequate manner, and the nature and level of risk (Risk Appetite) are determined and consistent with the strategic objectives and the sustainability of the business over the long-term period,
  • Control bodies (Control and Risks Committee, Board of Statutory Auditors, Surveillance Body) have access to information and an adequate overview over risk management control systems, consistently with their monitoring responsibilities,
  • Second tier functions define processes, procedures and methodologies so that company activities be deal with a “risk based” approach,
  • Business units, technical and support functions identify, evaluate and, taking into account the relevant Risk Appetite, treat enterprise and project risks, with reference to defined objectives and managed processes, giving adequate information to higher reporting levels,
  • Internal Audit systematically acquires, at least on an annual basis, the results of the activities of risks assessment and monitoring, to perform the internal evaluation so as to plan the control activities under their  responsibilities.


In the Leonardo organizational model, the Risk Management unit, in close collaboration with the Corporate and Division structures, ensures the dissemination of methodologies, metrics and tools for the correct analysis and management of risks, with the aim to guarantee the creation and protection of the value of projects and to preserve over time the business value, the business operations and the interests of the stakeholders.

The operational management of risks in Leonardo:

  • involves continuously the whole organization in the areas of enterprise risks and project risks,
  • is supported by the Enterprise Risk Management (ERM) and Project Risk Management (PRM) processes,
  • is structured in the phases of Identification, Evaluation, Treatment and Monitoring of risks and related response plans.

For the management of enterprise and project risks, Leonardo uses TERRA (Tool for Evaluating Risks and Response Actions), a proprietary IT tool that supports the process implementation, including Reporting, allows the involvement of all internal stakeholders and guarantees the archiving of risks historical information.

Risk Appetite

The Risk Appetite is defined by the Board of Directors at least on an annual basis and represents the level of risk the company is willing to take, in alignment with its mission, business vision, and the interests of its stakeholders.

Risk Appetite is applied across the organization and in all company’s processes and it plays a key role in defining risk response strategies, effectively serving as an operational tool in risk management.

Risk Appetite is structured based on the possible nature of the risk impact (e.g., strategic, operational, compliance) and consists of a combination of likelihood and impact values within which a given risk can be considered acceptable, or alternatively, beyond which specific treatment actions must be taken.

Some examples:

Outcome of the comparison with Risk Appetite
Risk response strategy
The risk is within the Risk Appetite limits
(e.g., low impact and low likelihood)
Acceptable risk
The risk exceeds the Risk Appetite limits
(e.g., low impact and medium-high likelihood)
Unacceptable risk: treatment actions must be defined to bring it within acceptable levels
The risk significantly exceeds the Risk Appetite limits
(e.g., high impact and high likelihood)
 
Unacceptable risk: treatment actions must be urgently defined to bring it within acceptable levels

Risk Culture

Leonardo actively promotes a strong risk culture as a strategic lever to support risk-aware decision-making processes. In this context, systematic training and awareness-raising activities are carried out across the entire organization, including all non-executive directors, with the aim of disseminating principles, tools, and methodologies for the identification, assessment, and treatment of risks.

Complementing these initiatives, on-the-job training activities and dedicated sessions focused on specific risk analysis areas (such as anti-corruption, sustainability, and cyber risk) are also provided, contributing to the consolidation of an integrated and proactive approach to risk management.