Risk Management

Our tailored enterprise risk management approach

As a company operating globally in the semiconductor market, we are exposed to risks of increased volatility, uncertainty, and complexity, particularly in the current environment. For a description of ST’s risk factors, please refer to the relevant section in our 2021 annual report Form 20-F and our 2021 Statutory Annual Report including IFRS financial statements, available on investors.st.com.

ERM process aligned with

ISO 31000

Our embedded approach to enterprise risk management (ERM) is formalized in a specific policy and is aligned with ISO 31000. It enables us to:

set and enable our Company strategy, manage our performance, and capitalize on opportunities
systematically identify, evaluate and treat specific risk scenarios

Our ERM improvement roadmap includes deploying our risk framework that:

considers the interests of our stakeholders
addresses uncertainty explicitly
is pragmatic and tailored to ST
is an integral part of ST processes and decision-making
is proactive, structured, dynamic, iterative and responsive to change
is based on the best available information

Our risk framework is described in the following chart.

ST’s ERM framework
Governance, organization and culture	Risk oversight and governance
	Risk culture
	Risk appetite
	Risk functions and communities
Managing risk and opportunity	Response to and monitoring of risk and opportunity (enabling strategy and performance)
Risk enablers	Risk reference documentation (policies and procedures)
	Risk processes (definition and methodologies)
	Risk tools

Our risk approach is managed by our Chief Audit and Risk Executive under the direct responsibility of our Managing Board and the oversight of our Supervisory Board. The content of this oversight role is detailed in our Supervisory Board Charter.

Our risk governance is described in the following chart:

Risk management – risk governance (graphic)

Managing risk according to our risk appetite strategy

Risk management activities are governed by our risk appetite strategy, which is discussed annually at Supervisory Board and Audit Committee levels.

We determine the amount of risk we are willing to pursue or retain, depending on the expected rewards, opportunities, and costs.

Our risk appetite depends on the nature of risks. As an illustration, through well-designed and effective internal controls we strive to eliminate or mitigate the following risk categories to the lowest possible level:

corporate governance
product quality
operations resilience (internal events)
protection of intellectual property and other sensitive information
people, health and safety
adherence to our Code of Conduct and compliance with applicable laws and regulations
protection against cyber threats

The embedded ERM process takes a holistic view, combining both Company-wide ‘top-down’ and ‘bottom-up’ perspectives, to ensure that specific risk scenarios are addressed at the right level.

STMicroelectronic's ERM process (graphic)

12

‘priority 1’ risk areas

During 2021, we refreshed our Company risk assessment with Executive Management. The output from this exercise was a risk map linked to our strategic objectives, including 12 ‘priority 1’ risk areas.

Risk owners (members of senior management) were appointed for each priority risk area to develop risk response plans, adapt to changing external conditions and enhance monitoring capabilities. The risk response plans are regularly reviewed by the Executive Committee and discussed periodically with the Supervisory Board and Audit Committee.

Each organizational unit throughout the Company completes its own risk assessment. This includes Marketing and Sales regions, Product Groups, Manufacturing and Technology, and corporate functions, as well as large transformation initiatives.

Continuously improving our resilience

We have extended our risk approach to encompass a dedicated Resilience Management System (RMS), including both business continuity and crisis management, addressing the following dimensions:

continuity of major sites
manufacturing flexibility across internal and/or external sites
continuity of full supply chain, including third parties
managing business continuity and crisis communication to clients and other stakeholders
improving Company-wide capability to respond to crises

In 2021, as per our multi-year improvement roadmap, we further embedded the RMS in our main sites and selected organizational units, leveraging our ‘Corporate Resilience Competence Center’ and a global network of ‘Resilience Champions’. We deployed a number of incremental improvements to our RMS, including a refreshed procedural framework, and fully aligned methodologies and toolkits across ERM, resilience, business continuity and crisis management. It provides a consistent methodology to address potential business disruptions to our resources, such as:

site unavailability
people unavailability
IT system disruptions, such as cyber-attacks
critical sourcing and logistics/transportation disruptions

As such, we address scenarios that may affect our supply chain and operations, enabling us to continuously improve our continuity plans. Such scenarios include:

pandemics
natural hazards (such as earthquakes, floods, snowstorms, volcanic eruptions or tsunamis)
industrial accidents (such as fires and explosions)
facilities and energy interruptions
major impacts related to human activities (such as geo-political tensions, conflicts, terrorism or strikes)

FOCUS

Facing the pandemic

Throughout 2021, our Corporate Crisis Team (CCT), directly reporting to ST’s Executive Committee, has continued to orchestrate our global response to the COVID-19 pandemic, driving our network of crisis teams at regional, country and site levels to address the complexity of local conditions. We have consistently maintained our focus on two overarching priorities:

first, maximizing measures to prevent infection, and supporting our employees and their families
second, executing our business continuity plans, actively managing the situation across our whole supply chain, working closely with our customers, suppliers and partners

In 2020, we conducted an initial exercise to learn from the early phases of the pandemic. This led to several improvements in our crisis management set-up for 2021 and enabled us to adapt to ongoing developments. In 2021, we conducted a second review, driving further improvements.

The CCT continues to coordinate our response across all relevant areas, including:

monitoring international developments
global travel and health and safety management (including psychological support)
monitoring the ST-specific situation and the deployment of measures in ST regions/sites
monitoring our business, supply chain and manufacturing
internal and external communications
support function continuity management

Franck Freymond

Executive Vice President, Chief Audit and Risk Executive

In 2021, the COVID-19 pandemic created a fast-moving risk environment that varied according to location. This was largely due to differences in public health policies, in particular the speed and extent of public vaccination campaigns. We faced multiple challenges requiring the continuous mobilization of our management and our dedicated crisis teams to continue to provide our people with a safe working environment and maintain business continuity. This second year of the pandemic highlighted our overall resilience in highly volatile conditions requiring constant adaptation.”

ISO 22301

certified

In 2021, we developed and rolled out an ST-specific methodology underpinning a global dashboard: a range of relevant indicators based on internal or external standards, covering dimensions such as exposure to natural hazards, loss prevention characteristics, facilities robustness, equipment modernization and redundancy, IT infrastructure quality, and cyber protection. For major sites, these indicators are compiled in a Site Resilience Index (SRI), which is updated and improved on a quarterly basis. Annually, site management teams prepare and update a Site Improvement Plan accordingly.

ST has been ISO 22301 certified since 2016. Throughout 2021, our continuous improvements have been subject to surveillance audits from the certification body, and internal audits. Recertification audits are scheduled to take place in 2022.

Sustainability risks

The identification of our priority sustainability topics is formalized through a regular multi-stakeholder materiality exercise (see Sustainability strategy). Company-level sustainability risk scenarios are then addressed as part of our ERM program in a cross-functional manner.

Specific activities conducted include:

defining policies that embed risk mitigation strategies with concrete actions
adopting reference standards such as ISO 45001 for safety, and ISO 14001 for the environment
monitoring labor conditions and correcting deviations in our own operations according to the Responsible Business Alliance (RBA) standards for corporate social responsibility (see Labor and Human rights)
specifically addressing climate and water-related risks (see Energy and Climate Change and Water)
providing stewardship to our supply chain through the adoption of the RBA standard and an environmental and social due diligence process that considers potential adverse impacts
conducting a specific annual risk assessment of our tier 1 suppliers focusing on labor and human rights, environment, health and safety, and ethics (see Responsible Supply Chain)

By identifying these risks and mitigating them through dedicated programs, we can reduce our environmental and social footprint and find new opportunities to create positive value for our Company and our stakeholders.