2024 Sustainability report | 2023 performance

Construction worker (photo)

Risk management

Employees at work, ST Crolles, France

Risk management

Risk management is embedded throughout our organization to provide resilience, agility, and growth.

ERM

global approach

9

priority 1 risk areas

100+

ERM and resilience champions

Our tailored enterprise risk management approach

As a company operating globally in the semiconductor market, we are exposed to risks of increased volatility, uncertainty, complexity, and ambiguity, particularly due to current geopolitical instabilities. For a description of ST’s risk factors, please refer to the relevant section in our 2023 Annual Report Form 20-F and our 2023 Statutory Annual Report, including IFRS Financial Statements, available on investors.st.com.

ERM process aligned with

ISO 31000

Our embedded approach to enterprise risk management (ERM) is formalized in a specific policy and is aligned with ISO 31000. It enables us to:

  • set and enable our Company strategy, manage our performance, and capitalize on opportunities
  • systematically identify, evaluate, and address specific risk scenarios

Our ERM improvement roadmap includes implementing our risk framework, which is tailored to ST. Our risk framework is an integral part of our processes and decision-making. It considers the interests of our stakeholders and addresses uncertainty explicitly. Based on the best available information, the risk framework is proactive, structured, dynamic, iterative and responsive to change.

ST’s ERM framework

Governance, organization, and culture
  • Risk oversight and governance
  • Risk culture
  • Risk appetite
  • Risk functions and communities

Managing risk and opportunity
  • Response to and monitoring of risk and opportunity
    (enabling strategy and performance)

Risk enablers
  • Risk reference documentation (policies and procedures)
  • Risk processes (definition and methodologies)
  • Risk tools

Our risk approach is managed by our Chief Audit and Risk Executive under the direct responsibility of our Managing Board and the oversight of our Supervisory Board. The scope of this oversight role is detailed in our Supervisory Board Charter.

Our risk governance is described in the following chart:

Risk management – risk governance (graphic)

Managing risk

Risk management activities are governed by our risk appetite strategy, which is discussed annually at Supervisory Board and Audit Committee levels.

We determine the amount of risk we are willing to pursue or retain, depending on the expected rewards, opportunities, and costs.

Our risk appetite depends on the nature of risks. As an illustration, through well-designed and effective internal controls, we strive to reduce residual exposure to a level as low as reasonably practicable for the following risk categories:

  • corporate governance
  • product quality
  • operations resilience (internal events)
  • protection of intellectual property and other sensitive information
  • people, health and safety
  • compliance with environmental regulations and commitments
  • adherence to our Code of Conduct and compliance with applicable laws and regulations
  • protection against cyber threats

Our holistic ERM process is embedded company-wide and within more than 20 organizational units, to ensure specific risk scenarios are addressed at the right level. By systematically considering the views of numerous executives and external sources, we continually strive to identify and address emerging risks, including those that are externally driven, fast-evolving, or that might be of significance in the medium- to long-term, for instance risks related to artificial intelligence in 2023. This process is facilitated by a global network of ERM champions.

STMicroelectronic's ERM process (graphic)

During 2023, we refreshed our Company risk assessment with the executive management team. The output from this exercise was a risk map linked to our strategic objectives, including nine redefined ‘priority 1’ risk areas.

Risk owners (members of senior management) were appointed for each priority risk area to develop risk response plans, adapt to changing external conditions, and enhance monitoring capabilities. These risk response plans are regularly reviewed by the Executive Committee and periodically discussed with the Audit Committee of the Supervisory Board.

Each organizational unit throughout the Company completes its own risk assessment. This includes marketing and sales regions, product groups, manufacturing and technology, and corporate functions. In addition, we implemented further risk assessments on large company programs, including transformation programs.

Franck Freymond, Chief Audit and Risk Executive (portrait)
Franck Freymond

Executive Vice President, Chief Audit and Risk Executive

In the spirit of continuous improvement, independent assessments are conducted every five years on ERM and resilience activities. This allows us to evaluate our level of maturity, benchmark our practices against peers or market practices, and design improvement roadmaps.

Improving our resilience

Our risk approach encompasses a dedicated resilience management system (RMS), focusing on business continuity and crisis management, to address the following risk factors:

  • continuity of the main sites
  • manufacturing flexibility across internal and/or external sites
  • continuity of full supply chain, including third parties
  • managing business continuity and crisis communication to clients and other stakeholders
  • improving company-wide capability to respond to crises

As part of our multi-year improvement roadmap, we further embedded the RMS at our main sites and selected organizations in 2023, leveraging our Corporate Resilience Competence Center and a global network of resilience champions.

In 2023, over 50 ERM and resilience champions gathered for a three-day internal conference where best practices and upcoming improvements were discussed. We implemented several incremental improvements to our RMS, with fully aligned methodologies and toolkits across ERM, resilience, business continuity, and crisis management. This provides a consistent methodology to address potential business disruptions to our resources, such as:

  • site unavailability
  • people unavailability
  • IT system disruptions, such as cyber-attacks
  • critical sourcing and logistics/transportation disruptions

As such, we address scenarios that may affect our supply chain and operations, enabling us to continually improve our continuity plans. Such scenarios include:

  • pandemics
  • natural hazards (such as earthquakes, floods, snowstorms, volcanic eruptions, or tsunamis)
  • industrial accidents (such as fires and explosions)
  • facilities and energy interruptions
  • major impacts related to human activities (such as geopolitical tensions, terrorism, or strikes)

In 2023, we further developed an ST-specific methodology that underpins our global risk management dashboard. This comprises a range of indicators based on internal or external standards, covering dimensions such as:

  • exposure to natural hazards
  • loss prevention
  • facilities robustness
  • equipment modernization and redundancy
  • IT infrastructure
  • cyber protection

For every significant site, these indicators are compiled in a site resilience index (SRI), that is updated and improved quarterly. Site management teams prepare and update an annual site improvement plan accordingly.

Regular evaluation of our risk and resilience framework

ISO 22301

certified

The maturity of our overall risk framework design and implementation, which includes cybersecurity risks, is periodically audited by a leading independent organization. This was last performed in 2022, confirming a significant improvement in maturity compared to the previous audit in 2017. In 2023, additional independent audits were completed (as outsourced assignments within our Corporate Audit Plan) focusing on the following specific areas:

  • maturity assessment of the design and implementation of our resilience framework, confirming its current level of maturity
  • dedicated review of our cyber crisis playbook

In addition, ST has been ISO 22301 certified since 2016, with the current certification valid until 2025. Throughout 2023, our RMS and improvements have been subject to both internal audits and surveillance audits from the certification body. Such internal audits and external surveillance audits are scheduled to take place again in 2024.

Sustainability risks

Company-level sustainability risk scenarios are addressed as part of our ERM program. Our response level corresponds to the level of risk identified. This mapping enables sustainability risks to be fully integrated into the priority risks of the Company.

In 2023, the main focuses and long-term risk mitigation actions were related to:

  • climate change, through investment towards carbon neutrality, maximizing energy savings and renewable energy (see Energy and climate change), and implementing our carbon neutrality program in our supply chain to reduce our scope 3 GHG emissions (see Responsible supply chain)
  • water management, through reinforcement of our water strategy and policy (see Water)
  • diversity, equity, and inclusion, though new and updated training, employee resource groups, and enhanced monitoring (see Diversity, equity and inclusion)
  • health and safety, through programs dedicated to preventing work-related injuries and illnesses, and reducing psychosocial risks (see Health and safety)
  • working conditions in our supply chain, through suppliers’ assessment and trainings on labor and human rights (see Responsible supply chain)
  • chemical and pollution management, through the substitution of hazardous substances, and monitoring of our impact and appropriate treatment (see Chemicals and Water)

By identifying these risks and mitigating them through dedicated actions and programs, we can reduce our environmental and social footprint and find new opportunities to create positive value for our Company and our stakeholders.