2023 Sustainability report | 2022 performance

Pieces of wooding being stacked (photo)

Risk management

Risk management

Risk management is embedded throughout our organization to provide resilience, agility and growth.

ERM

global approach

12

'priority 1 risk areas'

100+

ERM and resilience champions

Our tailored enterprise risk management approach

As a company operating globally in the semiconductor market, we are exposed to risks of increased volatility, uncertainty, complexity, and ambiguity, particularly in light of current geopolitical instabilities. For a description of ST’s risk factors, please refer to the relevant section in our 2022 annual report Form 20-F and our 2022 statutory annual report including IFRS financial statements, available on investors.st.com.

ERM process aligned with

ISO 31000

Our embedded approach to enterprise risk management (ERM) is formalized in a specific policy and is aligned with ISO 31000. It enables us to:

  • set and enable our Company strategy, manage our performance, and capitalize on opportunities
  • systematically identify, evaluate, and address specific risk scenarios

Our ERM improvement roadmap includes deploying our risk framework, which:

  • considers the interests of our stakeholders
  • addresses uncertainty explicitly
  • is pragmatic and tailored to ST
  • is an integral part of our processes and decision-making
  • is proactive, structured, dynamic, iterative and responsive to change
  • is based on the best available information

ST’s ERM framework

Governance, organization and culture
  • Risk oversight and governance
  • Risk culture
  • Risk appetite
  • Risk functions and communities

Managing risk and opportunity
  • Response to and monitoring of risk and opportunity
    (enabling strategy and performance)

Risk enablers
  • Risk reference documentation (policies and procedures)
  • Risk processes (definition and methodologies)
  • Risk tools

Our risk approach is managed by our Chief Audit and Risk Executive under the direct responsibility of our Managing Board and the oversight of our Supervisory Board. The scope of this oversight role is detailed in our Supervisory Board Charter.

Our risk governance is described in the following chart:

Risk management – risk governance (graphic)

Managing risk

Risk management activities are governed by our risk appetite strategy, which is discussed annually at Supervisory Board and Audit Committee levels.

We determine the amount of risk we are willing to pursue or retain, depending on the expected rewards, opportunities, and costs.

Our risk appetite depends on the nature of risks. As an illustration, through well-designed and effective internal controls, we strive to eliminate or mitigate as much as possible the following risk categories:

  • corporate governance
  • product quality
  • operational resilience (internal events)
  • protection of intellectual property and other sensitive information
  • people, health and safety
  • environmental regulations and commitments
  • adherence to our Code of Conduct and compliance with applicable laws and regulations
  • protection against cyber threats

Our holistic ERM process is embedded company-wide and within more than 20 organizations, to ensure specific risk scenarios are addressed at the right level. By systematically considering the views of numerous executives and external sources, we continually strive to identify and address emerging risks, including those that are externally driven, fast-evolving, or that might be of significance in the medium- to long-term.

STMicroelectronic's ERM process (graphic)

During 2022, we refreshed our Company risk assessment with the executive management team. The output from this exercise was a risk map linked to our strategic objectives, including 12 redefined ‘priority 1’ risk areas.

Risk owners (members of senior management) were appointed for each priority risk area to develop risk response plans, adapt to changing external conditions, and enhance monitoring capabilities. These risk response plans are regularly reviewed by the Executive Committee and periodically discussed with the Supervisory Board and Audit Committee.

Each organizational unit throughout the Company completes its own risk assessment. This includes marketing and sales regions, product groups, manufacturing and technology, and corporate functions.

Improving our resilience

We have extended our risk approach to encompass a dedicated Resilience Management System (RMS), including business continuity and crisis management, to address the following risk factors:

  • continuity of major sites
  • manufacturing flexibility across internal and/or external sites
  • continuity of full supply chain, including third parties
  • managing business continuity and crisis communication to clients and other stakeholders
  • improving company-wide capability to respond to crises

FOCUS

Skyscrapers by night (photo)

Managing the consequences of geopolitical developments

In 2022, we activated a dedicated Corporate Crisis Team (CCT), reporting directly to the Executive Committee, to steer our response to the Russia-Ukraine conflict and its evolving implications. We have consistently maintained our focus on two overarching priorities:

  • first, ensuring the health, safety and security of our people
  • second, adapting and executing our business continuity plans, actively managing the situation across our whole supply chain, and working closely with our customers, suppliers, and partners

Learning from the experience gathered during the COVID-19 pandemic, the CCT coordinated our response across all relevant areas, including:

  • monitoring international developments
  • managing global travel and health and safety (including psychological support)
  • monitoring the ST-specific situation and the deployment of measures in our regions/sites
  • monitoring our business, supply chain, and manufacturing, in particular sourcing materials and energy, and ensuring compliance with applicable international trade rules and sanctions
  • ensuring internal and external communications
  • managing continuity for support functions
Franck Freymond, Chief Audit and Risk Executive (portrait)
Franck Freymond

Executive Vice President,
Chief Audit and Risk Executive

In 2022, the COVID-19 pandemic continued to create a fast-moving risk environment that varied according to location. In addition, the Russia-Ukraine conflict in Europe triggered multiple implications, including trade sanctions, disruptions to supply chains, and energy sourcing challenges. We faced multiple challenges requiring the continuous mobilization of our management and our dedicated crisis teams to continue to provide our people with a safe working environment and maintain business continuity. 2022 highlighted our overall resilience in highly volatile conditions requiring constant adaptation.”

In 2022, as detailed in our multiyear improvement roadmap, we further embedded the RMS in our main sites and selected organizations, leveraging our Corporate Resilience Competence Center and a global network of resilience champions.

For the first time since 2019, more than 50 resilience champions gathered for a three-day internal conference where best practices and upcoming improvements were discussed. We implemented several incremental improvements to our RMS with fully aligned methodologies and toolkits across ERM, resilience, business continuity, and crisis management. This provides a consistent methodology to address potential business disruptions to our resources, such as:

  • site unavailability
  • people unavailability
  • IT system disruptions, such as cyber-attacks
  • critical sourcing and logistics/transportation disruptions

As such, we address scenarios that may affect our supply chain and operations, enabling us to continually improve our continuity plans. Such scenarios include:

  • pandemics
  • natural hazards (such as earthquakes, floods, snowstorms, volcanic eruptions, or tsunamis)
  • industrial accidents (such as fires and explosions)
  • facilities and energy interruptions
  • major impacts related to human activities (such as geopolitical tensions, terrorism or strikes)

In 2022, we further developed an ST-specific methodology underpinning a global risk management dashboard: a range of relevant indicators based on internal or external standards, covering dimensions such as:

  • exposure to natural hazards
  • loss prevention
  • facilities robustness
  • equipment modernization and redundancy
  • IT infrastructure
  • cyber protection

For major sites, these indicators are compiled in a Site Resilience Index (SRI), which is updated and improved on a quarterly basis. In 2022, our quality laboratories were included in the SRI. Site management teams prepare and update an annual site improvement plan accordingly.

ISO 22301

recertified for 3 years

ST has been ISO 22301 certified since 2016. Throughout 2022, our improvements have been subject to both internal audits and recertification audits from the certification body. ST was duly recertified for a three-year cycle until 2025. External surveillance audits and internal audits are scheduled to take place in 2023.

ST was recognized by Resilinc, a leading supply chain risk management company, as ranking among the top 30 suppliers to the high-tech industry with the best risk programs in place. Suppliers were selected based on their Resilinc R Score®, a patented risk-scoring system that measures supply chain resilience based on key metrics including performance, network resilience, transparency, continuity of supply, and risk program maturity.

Sustainability risks

The identification of our priority sustainability topics is formalized through a regular multistakeholder materiality exercise (see Sustainability strategy).

Company-level sustainability risk scenarios are then addressed as part of our ERM program. Our response level corresponds to the level of risk identified. This mapping enables sustainability risks to be fully integrated into the priority risks of the Company.

In 2022, we identified our main focuses and long-term risk mitigation actions as:

  • climate change, with specific attention on securing investment for carbon neutrality, maximizing energy savings and renewable energy (see Energy and climate change)
  • water management with reinforcement of water strategy and policy (see Water)
  • diversity, equity and inclusion with training developments, diverse networks creation and, monitoring enhancement (see Diversity, equity and inclusion)
  • human resources programs, to ensure sustainable hiring, retention, and transformation (see Talent attraction and engagement)
  • health and safety, with specific programs dedicated to well-being and psychosocial risk reduction (see Health and safety and Labor and human rights)

Other priority topics identified relate to chemicals and pollution management (see Chemicals), supply chain responsibility (see Responsible supply chain), and new reporting and regulatory standards for people and the environment (for example, EU Taxonomy, US and EU forced labor bans).

By identifying these risks and mitigating them through dedicated actions and programs, we can reduce our environmental and social footprint and find new opportunities to create positive value for our Company and our stakeholders.