Risk and opportunity management

Risk Management is a process that is implemented in all Business Units and in every corporate function. It favours the achievement of our goals and, ultimately, turns uncertainty into a path to success.

Today, the world is facing a multitude of challenges, including social, geopolitical, technological, and environmental issues

such as climate change, pollution, the proliferation of armed conflicts, disinformation, cyberattacks, and even the emergence of new forms of artificial intelligence (AI). If not addressed properly, these challenges could have significant consequences for both society at large and organisations in particular.

We are exposed to a wide range of risks inherent to our operations and the countries in which we operate.

These risks could impact our performance and hinder or prevent us from achieving our objectives. In this context, Risk Management plays a crucial role in our organisation, enabling us to effectively manage risks and opportunities. This involves effectively managing uncertainty in all our activities and projects, preventing or minimising unwanted outcomes (risks) and maximising or amplifying desirable effects (opportunities), thereby contributing to the achievement of planned results.

Corporate Governance of risk management

We have a risk management policy and process approved by our Board of Directors, both subject to annual review.

Risk management in Aleatica is a systematic, continuous, strategic and transversal process promoted and supervised by the Board of Directors through its Audit Committee, with the support of Senior Management. This process is an integral part of the company’s corporate culture, based on the Corporate Integrity pillar.

By actively managing risks and opportunities at all levels of the organisation, we seek to integrate and apply these principles in all activities and projects developed by Aleatica. This serves as the foundation for decision-making, aligning us with the corporate strategy and objectives to facilitate their achievement.

At Aleatica, risk management is a process of continuous improvement that enables us to adapt and respond effectively to the challenges and changes in our business. In the Business Units and corporate functions, we collaborate closely with the Risk Management Department to identify and evaluate risks, define controls and actions, and ensure their effectiveness. We also develop mitigation plans and monitor their implementation and identify and update existing risk information in response to potential changes in the internal and/or external environment.

In August 2024, Aleatica obtained UNE-ISO 31000 certification for risk management. This achievement demonstrates our commitment to the effective and efficient management of risks and opportunities and reinforces our pillar of Corporate Integrity.

Risk culture

At Aleatica, we follow the Enterprise Risk Management Framework—Integrating with Strategy and Performance (ERM 2017) by COSO, which emphasises the importance of embedding risk management fundamentals in corporate culture.

During FY2024, at Aleatica we provided risk management training through on-site and online courses, using our corporate training tool. Specifically, the training provided during this exercise has been:

Emerging risks, key risks, and KRIs

two in-person workshops in Italy and the United Kingdom, focusing on emerging risks, with a total participation of 14 team members.

Webinar on risks associated with artificial intelligence

online training involving team members and independent advisors (one-hour virtual workshop led by an expert in the field, with a total of 521 participants).

Introduction to risk management

one-hour individual training for 38 participants and individual training through the corporate training application for 152 new hires.

Risk update course

A five-minute training video aimed at 167 employees to reinforce the concept of risk and emerging risks.

We also use internal communication channels, including emails and fixed screens, to disseminate messages related to risk management. Additionally, we have a dedicated risk management section in the monthly newsletter, One Aleatica, which is distributed to the entire global workforce.

In 2024, we published five articles on risk management in our internal magazine, displayed six messages on digital screens (with a total runtime of 710 minutes), issued four communications on the Risk Department, and published two articles in external magazines.

Significant risks and material changes are communicated and reviewed by Executive Management, including regional directors. The status of risks and corresponding mitigation actions are reported at least quarterly to Business Unit Committees and/or Boards, the Group, and the ESG Committee.

In addition, top executives and Business Unit leaders certify quarterly their awareness of risks, controls, and mitigation measures within their scope of responsibility, reinforcing a culture of risk awareness and accountability across the organisation.

Risk opportunity management process

Through our Integrated Risk Management Framework, we continuously identify, assess, control, monitor, and report on the full spectrum of strategic, financial, operational, and compliance risks and opportunities that affect the organisation.

1. Identification

Risks are identified by the owners within each Business Unit and functional area. To support this process, the organisation uses a comprehensive risk taxonomy (universe) that is regularly updated and reflects potential exposures. This taxonomy includes ESG-related risks—such as environmental, human rights, and workplace safety—alongside other business risks. Climate change risks are also incorporated in line with the TCFD (Task Force on Climate-related Financial Disclosures) framework. Classifying risks under this taxonomy enables consistent analysis, aggregation, and reporting, while also showing their interdependencies rather than treating them in isolation.

2. Assessment

Risks are evaluated based on both impact and likelihood of occurrence through three levels of assessment:

Inherent risk (before applying mitigation controls),
Residual risk (after adopting mitigation measures),
Objective risk (after full implementation of mitigation or action plans).

An IT tool supports the entire assessment process, ensuring consistency and efficiency.

3. Response

Each Business Unit and functional area defines control measures and mitigation plans for the risks identified. These are documented, monitored continuously, and updated as necessary. While some risks remain outside the organisation’s direct control (e.g., regulatory changes, political or economic shifts, or market volatility), they are nevertheless identified, assigned to responsible owners, and tracked. Responsible persons are tasked with ensuring proper management and execution of mitigation plans.

4. Monitoring and Reporting

The Risk Management Department, in collaboration with Business Units and Corporate Functions, oversees progress on mitigation plans and monitors the evolution of risks. Regular updates ensure proactive oversight and accountability.

5. Information, Communication and Reporting

Significant risks and material changes are communicated and reviewed by Executive Management, including regional directors. The status of risks and corresponding mitigation actions are reported at least quarterly to Business Unit Committees and/or Boards, the Group, and the ESG Committee.

In addition, top executives and Business Unit leaders certify quarterly their awareness of risks, controls, and mitigation measures within their scope of responsibility, reinforcing a culture of risk awareness and accountability across the organisation.

Key risks

Our organisation faces various risks and uncertainties. Below are some of the key risks currently impacting our business and performance.

Occupational Health & Safety

Inadequate workplace safety conditions for employees or third parties operating at our facilities (e.g., lack of safety protocols, occupational controls, etc.) increase the likelihood of workplace accidents. This risk also includes psychosocial risks and their poor management.

Business Ethics

Lack of monitoring/application of principles, guidelines, and standards of good conduct in Aleatica relationships with its stakeholders (e.g., team, administrations, suppliers, etc.).

Traffic Accidents

Traffic incidents that cause harm to people or property, including fatalities, can result from either internal or external factors.

Customer Experience

Risk of failing to comply or complying inadequately with quality commitments related to the care of customers (both internal and external).

Environmental and Social Sustainability

The operational continuity of Aleatica is dependent on our relationship with the communities where we operate and our care for the environment. Our culture of social and environmental sustainability promotes social and environmental benefits by having a positive effect on business sustainability.

Cybersecurity

Risk associated with our inability as a company to protect our data from unauthorised access to Aleatica systems, networks, and applications by allowing third parties to obtain confidential information about employees, customers, and/or operations. This risk also includes inadequate identity and access management, as well as failure to protect the company from viruses or sabotage due to its vulnerabilities (e.g., lack of adequate testing and monitoring).

Climate Change

Climate change brings threats such as floods, landslides, heat waves, droughts, extreme temperatures, and fires that could damage our infrastructure, disrupt our operations, and pose risks to the physical integrity and health of our employees, customers, and communities. In addition, the transition to a low-carbon economy involves risks associated with public policy, technology, reputation, and the market.

Physical and Asset Security

Inability to guarantee the physical safety of individuals, including employees, suppliers, and customers, as well as the security of the company's assets in its daily activities, all in order to ensure the viability and continuity of the business. Assets may be affected in terms of physical damage or destruction of material goods (including the consequent loss of use of such goods).

Air Pollution and Emissions

Greenhouse gas emissions resulting from Aleatica activities (e.g., use of polluting machinery, petrol-powered vehicles, etc.).

Biodiversity Loss

Adverse impacts on biodiversity (including, among others, terrestrial, marine, and aquatic ecosystems and other ecological complexes such as specific properties) resulting from the actions of Aleatica. This risk also refers to the inability to manage or respond effectively or sufficiently to the damage caused by Aleatica in this environment (lack or ineffectiveness of the response plan).

Waste and Materials

Inappropriate disposal, supply, and treatment of waste (anything that a person and organisation intends or is required to dispose of) or materials (inputs used to provide services, which may be classified as non-renewable or renewable).

Diversity, Equity, and Inclusion

Failure to ensure proper definition or implementation of diversity and inclusion policies in the workplace, as well as adequate gender equality, negatively affects elements such as commitment, satisfaction, talent, and leadership quality.

Financial

We are exposed to various financial risks, including interest rate, exchange rate, and liquidity risks. Failure to meet our financial obligations could impact our liquidity and affect our business, financial condition, and operating results.

Emerging risks:

We may encounter emerging risks, which are new or uncertain risks that could become more prominent in the future due to new external contexts. These scenarios could potentially impact our organisation in the medium and long term, making them worthy of close monitoring.

Here are some emerging risks that could potentially impact our business:

Use and regulation of AI:

While artificial intelligence offers numerous opportunities to improve efficiency and innovation across the business spectrum, especially in processes, activities, and informed decision-making, it also carries significant risks that require our attention. For example, in terms of threats, AI could amplify existing biases if the data used to train it is not representative or biased, and a lack of transparency in algorithms can make it difficult to understand how decisions are made, which can lead to accountability issues. In addition, there is a risk of job displacement, as automation can reduce the need for certain types of human labour. The potential vulnerability of AI to cyberattacks and the misuse of personal data could impact security and privacy. The misuse of AI in areas such as mass surveillance or the creation of autonomous weapons raises serious ethical and security dilemmas.

These threats and the new regulations governing this area are a key factor in developing and implementing preventive control measures to ensure the appropriate use of AI (technical and organisational measures), assessments of the risks arising from the use of this technology and its impact, monitoring and reporting, etc.

New Sustainability Challenges:

We are facing an increasing number of challenges from a social and environmental perspective. Social and environmental conditions are undergoing significant changes, which translates into the emergence of new threats and risks to consider. The main risk factors to be assessed include:

The impact of climate change on our activity is caused by global warming, extreme weather events, and changes in weather patterns.
The scarcity of natural resources could trigger greater competition in terms of demand, conflicts, and increased operating costs for the company.
The constant evolution of regulations related to sustainability and their requirements and scope gives rise to compliance and reporting risks.
Risks related to the so-called social license to operate and costumer expectations. Both communities and customers are increasingly aware of the environmental and social impact of their decisions.
Failure to adopt sustainable practices could lead to reputational damage, loss of market share, negative impact on our operations, etc.