Our tailored enterprise risk management approach
As a company operating globally in the semiconductor market, we are exposed to risks of increased volatility, uncertainty, and complexity, particularly in the current environment. For a description of ST’s risk factors, please refer to the relevant section in our 2021 annual report Form 20-F and our 2021 Statutory Annual Report including IFRS financial statements, available on investors.st.com.
ERM process aligned with
Our embedded approach to enterprise risk management (ERM) is formalized in a specific policy and is aligned with ISO 31000. It enables us to:
- set and enable our Company strategy, manage our performance, and capitalize on opportunities
- systematically identify, evaluate and treat specific risk scenarios
Our ERM improvement roadmap includes deploying our risk framework that:
- considers the interests of our stakeholders
- addresses uncertainty explicitly
- is pragmatic and tailored to ST
- is an integral part of ST processes and decision-making
- is proactive, structured, dynamic, iterative and responsive to change
- is based on the best available information
Our risk framework is described in the following chart.
ST’s ERM framework
Governance, organization and culture
Managing risk and opportunity
Our risk approach is managed by our Chief Audit and Risk Executive under the direct responsibility of our Managing Board and the oversight of our Supervisory Board. The content of this oversight role is detailed in our Supervisory Board Charter.
Our risk governance is described in the following chart:
Managing risk according to our risk appetite strategy
Risk management activities are governed by our risk appetite strategy, which is discussed annually at Supervisory Board and Audit Committee levels.
We determine the amount of risk we are willing to pursue or retain, depending on the expected rewards, opportunities, and costs.
Our risk appetite depends on the nature of risks. As an illustration, through well-designed and effective internal controls we strive to eliminate or mitigate the following risk categories to the lowest possible level:
- corporate governance
- product quality
- operations resilience (internal events)
- protection of intellectual property and other sensitive information
- people, health and safety
- adherence to our Code of Conduct and compliance with applicable laws and regulations
- protection against cyber threats
The embedded ERM process takes a holistic view, combining both Company-wide ‘top-down’ and ‘bottom-up’ perspectives, to ensure that specific risk scenarios are addressed at the right level.
‘priority 1’ risk areas
During 2021, we refreshed our Company risk assessment with Executive Management. The output from this exercise was a risk map linked to our strategic objectives, including 12 ‘priority 1’ risk areas.
Risk owners (members of senior management) were appointed for each priority risk area to develop risk response plans, adapt to changing external conditions and enhance monitoring capabilities. The risk response plans are regularly reviewed by the Executive Committee and discussed periodically with the Supervisory Board and Audit Committee.
Each organizational unit throughout the Company completes its own risk assessment. This includes Marketing and Sales regions, Product Groups, Manufacturing and Technology, and corporate functions, as well as large transformation initiatives.
Continuously improving our resilience
We have extended our risk approach to encompass a dedicated Resilience Management System (RMS), including both business continuity and crisis management, addressing the following dimensions:
- continuity of major sites
- manufacturing flexibility across internal and/or external sites
- continuity of full supply chain, including third parties
- managing business continuity and crisis communication to clients and other stakeholders
- improving Company-wide capability to respond to crises
In 2021, as per our multi-year improvement roadmap, we further embedded the RMS in our main sites and selected organizational units, leveraging our ‘Corporate Resilience Competence Center’ and a global network of ‘Resilience Champions’. We deployed a number of incremental improvements to our RMS, including a refreshed procedural framework, and fully aligned methodologies and toolkits across ERM, resilience, business continuity and crisis management. It provides a consistent methodology to address potential business disruptions to our resources, such as:
- site unavailability
- people unavailability
- IT system disruptions, such as cyber-attacks
- critical sourcing and logistics/transportation disruptions
As such, we address scenarios that may affect our supply chain and operations, enabling us to continuously improve our continuity plans. Such scenarios include:
- natural hazards (such as earthquakes, floods, snowstorms, volcanic eruptions or tsunamis)
- industrial accidents (such as fires and explosions)
- facilities and energy interruptions
- major impacts related to human activities (such as geo-political tensions, conflicts, terrorism or strikes)
Facing the pandemic
Throughout 2021, our Corporate Crisis Team (CCT), directly reporting to ST’s Executive Committee, has continued to orchestrate our global response to the COVID-19 pandemic, driving our network of crisis teams at regional, country and site levels to address the complexity of local conditions. We have consistently maintained our focus on two overarching priorities:
- first, maximizing measures to prevent infection, and supporting our employees and their families
- second, executing our business continuity plans, actively managing the situation across our whole supply chain, working closely with our customers, suppliers and partners
In 2020, we conducted an initial exercise to learn from the early phases of the pandemic. This led to several improvements in our crisis management set-up for 2021 and enabled us to adapt to ongoing developments. In 2021, we conducted a second review, driving further improvements.
The CCT continues to coordinate our response across all relevant areas, including:
- monitoring international developments
- global travel and health and safety management (including psychological support)
- monitoring the ST-specific situation and the deployment of measures in ST regions/sites
- monitoring our business, supply chain and manufacturing
- internal and external communications
- support function continuity management
Executive Vice President, Chief Audit and Risk Executive
In 2021, the COVID-19 pandemic created a fast-moving risk environment that varied according to location. This was largely due to differences in public health policies, in particular the speed and extent of public vaccination campaigns. We faced multiple challenges requiring the continuous mobilization of our management and our dedicated crisis teams to continue to provide our people with a safe working environment and maintain business continuity. This second year of the pandemic highlighted our overall resilience in highly volatile conditions requiring constant adaptation.”
In 2021, we developed and rolled out an ST-specific methodology underpinning a global dashboard: a range of relevant indicators based on internal or external standards, covering dimensions such as exposure to natural hazards, loss prevention characteristics, facilities robustness, equipment modernization and redundancy, IT infrastructure quality, and cyber protection. For major sites, these indicators are compiled in a Site Resilience Index (SRI), which is updated and improved on a quarterly basis. Annually, site management teams prepare and update a Site Improvement Plan accordingly.
ST has been ISO 22301 certified since 2016. Throughout 2021, our continuous improvements have been subject to surveillance audits from the certification body, and internal audits. Recertification audits are scheduled to take place in 2022.
The identification of our priority sustainability topics is formalized through a regular multi-stakeholder materiality exercise (see Sustainability strategy). Company-level sustainability risk scenarios are then addressed as part of our ERM program in a cross-functional manner.
Specific activities conducted include:
- defining policies that embed risk mitigation strategies with concrete actions
- adopting reference standards such as ISO 45001 for safety, and ISO 14001 for the environment
- monitoring labor conditions and correcting deviations in our own operations according to the Responsible Business Alliance (RBA) standards for corporate social responsibility (see Labor and Human rights)
- specifically addressing climate and water-related risks (see Energy and Climate Change and Water)
- providing stewardship to our supply chain through the adoption of the RBA standard and an environmental and social due diligence process that considers potential adverse impacts
- conducting a specific annual risk assessment of our tier 1 suppliers focusing on labor and human rights, environment, health and safety, and ethics (see Responsible Supply Chain)
By identifying these risks and mitigating them through dedicated programs, we can reduce our environmental and social footprint and find new opportunities to create positive value for our Company and our stakeholders.