Risk management is embedded throughout our organization to provide resilience, agility and growth.
'priority 1 risk areas'
ERM and resilience champions
Our tailored enterprise risk management approach
As a company operating globally in the semiconductor market, we are exposed to risks of increased volatility, uncertainty, complexity, and ambiguity, particularly in light of current geopolitical instabilities. For a description of ST’s risk factors, please refer to the relevant section in our 2022 annual report Form 20-F and our 2022 statutory annual report including IFRS financial statements, available on investors.st.com.
ERM process aligned with
Our embedded approach to enterprise risk management (ERM) is formalized in a specific policy and is aligned with ISO 31000. It enables us to:
- set and enable our Company strategy, manage our performance, and capitalize on opportunities
- systematically identify, evaluate, and address specific risk scenarios
Our ERM improvement roadmap includes deploying our risk framework, which:
- considers the interests of our stakeholders
- addresses uncertainty explicitly
- is pragmatic and tailored to ST
- is an integral part of our processes and decision-making
- is proactive, structured, dynamic, iterative and responsive to change
- is based on the best available information
ST’s ERM framework
Governance, organization and culture
Managing risk and opportunity
Our risk approach is managed by our Chief Audit and Risk Executive under the direct responsibility of our Managing Board and the oversight of our Supervisory Board. The scope of this oversight role is detailed in our Supervisory Board Charter.
Our risk governance is described in the following chart:
Risk management activities are governed by our risk appetite strategy, which is discussed annually at Supervisory Board and Audit Committee levels.
We determine the amount of risk we are willing to pursue or retain, depending on the expected rewards, opportunities, and costs.
Our risk appetite depends on the nature of risks. As an illustration, through well-designed and effective internal controls, we strive to eliminate or mitigate as much as possible the following risk categories:
- corporate governance
- product quality
- operational resilience (internal events)
- protection of intellectual property and other sensitive information
- people, health and safety
- environmental regulations and commitments
- adherence to our Code of Conduct and compliance with applicable laws and regulations
- protection against cyber threats
Our holistic ERM process is embedded company-wide and within more than 20 organizations, to ensure specific risk scenarios are addressed at the right level. By systematically considering the views of numerous executives and external sources, we continually strive to identify and address emerging risks, including those that are externally driven, fast-evolving, or that might be of significance in the medium- to long-term.
During 2022, we refreshed our Company risk assessment with the executive management team. The output from this exercise was a risk map linked to our strategic objectives, including 12 redefined ‘priority 1’ risk areas.
Risk owners (members of senior management) were appointed for each priority risk area to develop risk response plans, adapt to changing external conditions, and enhance monitoring capabilities. These risk response plans are regularly reviewed by the Executive Committee and periodically discussed with the Supervisory Board and Audit Committee.
Each organizational unit throughout the Company completes its own risk assessment. This includes marketing and sales regions, product groups, manufacturing and technology, and corporate functions.
Improving our resilience
We have extended our risk approach to encompass a dedicated Resilience Management System (RMS), including business continuity and crisis management, to address the following risk factors:
- continuity of major sites
- manufacturing flexibility across internal and/or external sites
- continuity of full supply chain, including third parties
- managing business continuity and crisis communication to clients and other stakeholders
- improving company-wide capability to respond to crises
Managing the consequences of geopolitical developments
In 2022, we activated a dedicated Corporate Crisis Team (CCT), reporting directly to the Executive Committee, to steer our response to the Russia-Ukraine conflict and its evolving implications. We have consistently maintained our focus on two overarching priorities:
- first, ensuring the health, safety and security of our people
- second, adapting and executing our business continuity plans, actively managing the situation across our whole supply chain, and working closely with our customers, suppliers, and partners
Learning from the experience gathered during the COVID-19 pandemic, the CCT coordinated our response across all relevant areas, including:
- monitoring international developments
- managing global travel and health and safety (including psychological support)
- monitoring the ST-specific situation and the deployment of measures in our regions/sites
- monitoring our business, supply chain, and manufacturing, in particular sourcing materials and energy, and ensuring compliance with applicable international trade rules and sanctions
- ensuring internal and external communications
- managing continuity for support functions
Executive Vice President,
Chief Audit and Risk Executive
In 2022, the COVID-19 pandemic continued to create a fast-moving risk environment that varied according to location. In addition, the Russia-Ukraine conflict in Europe triggered multiple implications, including trade sanctions, disruptions to supply chains, and energy sourcing challenges. We faced multiple challenges requiring the continuous mobilization of our management and our dedicated crisis teams to continue to provide our people with a safe working environment and maintain business continuity. 2022 highlighted our overall resilience in highly volatile conditions requiring constant adaptation.”
In 2022, as detailed in our multiyear improvement roadmap, we further embedded the RMS in our main sites and selected organizations, leveraging our Corporate Resilience Competence Center and a global network of resilience champions.
For the first time since 2019, more than 50 resilience champions gathered for a three-day internal conference where best practices and upcoming improvements were discussed. We implemented several incremental improvements to our RMS with fully aligned methodologies and toolkits across ERM, resilience, business continuity, and crisis management. This provides a consistent methodology to address potential business disruptions to our resources, such as:
- site unavailability
- people unavailability
- IT system disruptions, such as cyber-attacks
- critical sourcing and logistics/transportation disruptions
As such, we address scenarios that may affect our supply chain and operations, enabling us to continually improve our continuity plans. Such scenarios include:
- natural hazards (such as earthquakes, floods, snowstorms, volcanic eruptions, or tsunamis)
- industrial accidents (such as fires and explosions)
- facilities and energy interruptions
- major impacts related to human activities (such as geopolitical tensions, terrorism or strikes)
In 2022, we further developed an ST-specific methodology underpinning a global risk management dashboard: a range of relevant indicators based on internal or external standards, covering dimensions such as:
- exposure to natural hazards
- loss prevention
- facilities robustness
- equipment modernization and redundancy
- IT infrastructure
- cyber protection
For major sites, these indicators are compiled in a Site Resilience Index (SRI), which is updated and improved on a quarterly basis. In 2022, our quality laboratories were included in the SRI. Site management teams prepare and update an annual site improvement plan accordingly.
recertified for 3 years
ST has been ISO 22301 certified since 2016. Throughout 2022, our improvements have been subject to both internal audits and recertification audits from the certification body. ST was duly recertified for a three-year cycle until 2025. External surveillance audits and internal audits are scheduled to take place in 2023.
ST was recognized by Resilinc, a leading supply chain risk management company, as ranking among the top 30 suppliers to the high-tech industry with the best risk programs in place. Suppliers were selected based on their Resilinc R Score®, a patented risk-scoring system that measures supply chain resilience based on key metrics including performance, network resilience, transparency, continuity of supply, and risk program maturity.
The identification of our priority sustainability topics is formalized through a regular multistakeholder materiality exercise (see Sustainability strategy).
Company-level sustainability risk scenarios are then addressed as part of our ERM program. Our response level corresponds to the level of risk identified. This mapping enables sustainability risks to be fully integrated into the priority risks of the Company.
In 2022, we identified our main focuses and long-term risk mitigation actions as:
- climate change, with specific attention on securing investment for carbon neutrality, maximizing energy savings and renewable energy (see Energy and climate change)
- water management with reinforcement of water strategy and policy (see Water)
- diversity, equity and inclusion with training developments, diverse networks creation and, monitoring enhancement (see Diversity, equity and inclusion)
- human resources programs, to ensure sustainable hiring, retention, and transformation (see Talent attraction and engagement)
- health and safety, with specific programs dedicated to well-being and psychosocial risk reduction (see Health and safety and Labor and human rights)
Other priority topics identified relate to chemicals and pollution management (see Chemicals), supply chain responsibility (see Responsible supply chain), and new reporting and regulatory standards for people and the environment (for example, EU Taxonomy, US and EU forced labor bans).
By identifying these risks and mitigating them through dedicated actions and programs, we can reduce our environmental and social footprint and find new opportunities to create positive value for our Company and our stakeholders.