Risks

Good risk management is of vital importance for Alliander. It gives us the assurance we need to achieve our strategic objectives in a responsible manner. We use a dedicated risk management framework that has been built around key principles. One principle is that our measures must always be consistent with our objectives. This ensures that no unnecessary demands are made on our organisation. And that no additional expenditures are incurred to mitigate risks if we believe them to be under sufficient control. This enables the entire organisation to make adjustments and improvements whenever necessary, while Alliander can comply with all laws and regulations.

• 1Safety
• 2Availability of technical staff in labour market
• 3Insufficient long-term regulatory focus
• 4Cybercrime

• 5Privacy of energy data
• 6Required competences
• 7Consequences of energy transition

1 2 3 4 5 6 7

X

Safety

Impact Very serious

Probability High

Expected development Decreasing ↓

What is the risk?

Working with gas and electricity involves health & safety risks for our employees, contractors and customers. Insufficient safety awareness or knowledge of safety measures increases the risk of accidents. Actions of third parties, whether accidental or malicious, may cause unforeseen safety risks. In a worst-case scenario, unsafe working conditions may result in serious casualties or fatalities.

How is it managed?

Within our organisation we take targeted safety measures. Despite the progress made on safety awareness last year, we were still confronted with safety incidents <LINK NAAR SAFETY INCIDENTS>. Even more attention is therefore being given to this issue. Improvements are being made to our safety culture. For example, safety risks and measures are now specifically mentioned during the pre-job meetings at the start of every day. Our processes and components are being made safer and training and refresher courses are being provided to staff. Accidents are investigated to identify the immediate and underlying causes. The findings are used to make improvements together with our internal organisation and our contractors. Our ambition is 'Everyone safely home!'

X

Availability of technical staff in labour market

Impact Serious

Probability Very high

Expected development Neutral →

What is the risk?

As the Dutch economy and the energy transition gather pace, the demand for specialised technicians is certain to grow. Unfortunately, specialised technicians are scarce in the Dutch labour market. In the coming two years, we will need at least 80 extra field service engineers for Liander and at least 50 for Liandon. There is a risk that we will not be able to recruit them fast enough. Measures are already being taken to minimise the consequences for our customers.

How is it managed?

To fill this imminent shortfall, we are conducting intensive recruitment campaigns (also targeted at foreign engineers) and investing in technical programmes at Regional Training Centres. In addition, we are freeing up extra engineering capacity by reorganising the performance of specialised tasks and through smarter planning. Cross-regional matching of supply and demand is one crucial strategy. In addition, more work is being outsourced to contractors (who face similar recruitment bottlenecks, incidentally). Finally, we are intensifying our cooperation with fellow network operators.

X

Insufficient long-term regulatory focus

Impact Serious

Probability Medium / High

Expected development Neutral →

What is the risk?

The rules within the regulated energy domain have an impact on the scope of our activities and our profitability. The failure of regulations to keep pace with changes in the energy landscape may affect the long-term continuity of our company. One major change is the envisaged sharp reduction in the use of fossil fuels. For Alliander, this could mean that our gas networks are given a different use or that customers defect from the gas network. <LINK NAAR… ZIE NL> In the latter case, we will be unable to earn back our current investments and this could jeopardise the affordability of our energy network.

How is it managed?

Constructive new legislation is vital so that we can continue investing in new initiatives for the energy system of the future. We think 30 years ahead about the impact that the transition from fossil to renewable fuels will have on the infrastructure we manage. We create future projections to indicate the necessary regulatory adjustments and discuss these with relevant parties.

X

Cybercrime

Impact Serious

Probability High

Expected development Neutral →

What is the risk?

Ongoing digitisation has made vital infrastructure (energy networks and above-ground assets) more vulnerable to political and terrorist hacking. Now that such incidents are on the rise, cybersecurity is more crucial than ever. Any failure to respond in time to rising or changing trends in cybercrime exposes Alliander to a very high risk.

How is it managed?

We protect our networks and computers against attacks by working on prevention, detection and cybersecurity response plans. Within the Association of Energy Network Operators in the Netherlands (Netbeheer Nederland), we are working intensively together to address this issue. We also maintain close ties with the Dutch National Cyber Security Centre and with other parties to keep track of the rapidly evolving developments and pick up external signals of attacks at an early stage. We are also an active participant in the European Network for Cyber Security (ENCS) to mitigate cyber security risks.

X

Privacy of energy data

Impact Serious

Probability High

Expected development Increasing ↑

What is the risk?

As part of our energy network management activities, we have access to privacy-sensitive data. This concerns e.g. connections, energy contracts, usage and costs. Clearly, safeguarding the privacy of these energy data is a high priority. The risk we run in relation to privacy violations is very real. As recently as 2016, the energy data of over two million households were stolen from one energy supplier's system. See also What have we learned. <LINK NAAR… ZIE NL>

How is it managed?

When processing energy data, we carry out privacy-impact analyses. Based on the outcomes, measures are taken where necessary. Starting from 2016, organisations are obliged to report any personal data leaks to the Dutch Data Protection Authority. Alliander has set up the requisite processes and organisation for this purpose. Our data protection efforts extend beyond our own organisation. The various players in the energy sector are taking joint action to put in place robust measures for the protection of privacy-sensitive data. The data theft that took place last year is being thoroughly investigated in order to reduce the risk of recurrence. To this end, information is being exchanged with regulators (the Dutch Data Protection Authority and the Netherlands Authority for Consumers & Markets), industry organisations (the Association of Energy Network Operators in the Netherlands and Energie-Nederland) and other relevant parties.

X

Required competences

Impact Serious

Probability High

Expected development Increasing ↑

What is the risk?

We acknowledge that the recruitment, development and retention of the competences required now and in the future constitute a strategic challenge. The energy transition has far-reaching consequences for our company. This will increasingly demand different competences, alongside our traditional in-house competences.

How is it managed?

We must have a clear idea of the critical competences that will be required in view of advancing technology and digitisation. To hire new talent, we must retain our status as employer of choice. This means offering good development opportunities as well as meaningful and challenging jobs (for both technical and IT staff). We must also try to keep our existing employees on board through training and refresher programmes. Our recruiters communicate with our target groups through social media and other channels. Finally, we are intensifying our partnerships with universities and colleges to establish an early top-of-mind presence as a potential employer.

X

Consequences of energy transition

Impact Serious

Probability High

Expected development Increasing ↑

What is the risk?

The energy transition is accelerating. Solar panels, wind farms, heat pumps and e-vehicles are in the ascendancy. Natural gas is being phased out. This means that the electricity network needs to be rapidly upgraded in many places. Regardless of the financial consequences, keeping pace with these fast developments will be operationally impossible. This poses serious risks, notably for the reliability of the energy supply.

How is it managed?

Innovative solutions can enable us to cope with the changes without requiring network upgrades or additional operational capacity. And that is a good thing. as the necessary capacity (in terms of skills and numbers) may not be sufficiently available in the market. That is why our focus is now on developing the required innovations and recalibrating our market model.

Our main risks

Risk types

Risk management is a regular item on the agenda of the Management Board and other executive and management layers within Alliander. Its application is primarily a responsibility of the line management. Risk reports disclose the extent to which our main risks are mitigated through our internal processes. Aspects we consider to be important are measured against a risk matrix based on agreed parameters. For instance, financial risks (probability multiplied by impact) from € 10 million are classified as High.
Risks that impact our other corporate values are also important. This concerns such areas as safety, quality of supply, sustainability, customer & image and laws & regulations. That is why we also keep a close eye on whether risks have an impact on these perspectives. We estimate risks (probability and impact) by taking account of the current status of controls.

Risk acceptance

The extent to which we are prepared to run risk in the realisation of our objectives differs per risk type.

• Our risk acceptance regarding compliance is low: we want to comply with all laws and regulations and act in accordance with internal procedures and the Alliander Code of Conduct.

• The safety of our employees and our networks is another area where risks must be excluded wherever possible.

• Our risk acceptance for the effective and efficient use of our operating assets is based on cost-benefit assessments.

• For strategic risks we seek the right balance between the risks and our long-term ambitions.

• For financial risks we apply a low acceptance level. This guarantees that we maintain a solid financial basis, meet the set financial criteria and fulfil our corporate social responsibility.

Risk awareness

Our previous annual report and half-year report already gave an account of risk management and internal control developments within Alliander (framework, policy, matrix). The risk awareness within Alliander is generally sufficient. The GRC supports the business to make improvements where necessary. This ongoing cooperation is bearing fruit and offers good and up-to-date insight into the uncertainties within our business. The risks that were identified as very high during the last risk inventory are the main risks facing Alliander at the present moment. These are clarified in this annual report. For a detailed description of the risks, the development of these risks and how the risk is managed, please see below 'Notes to risks'.

Financial risks, including our credit risk, are explained in note 34 to the financial statements. An extensive description of all our key operating asset risks can also be found in the Quality and Capacity Documents that are drawn up every two years. These are posted on www.liander.nl/kcd. The Corporate governance, Statement by the Management Board and Other information chapters provide more information on how risk management forms an explicit part of the internal controls and decision-making procedures. Scenario analyses are also used to highlight new developments. More general information about risk management can be found on the website alliander.com.

Primary linkage of risks and strategic pillars