SSE : Group Risk Report 2020

GROUP RISK REPORT

2019/20

OUR CORE BUSINESSES

SSEN Transmission

What it does

O wns, operates and maintains the electricity transmission network in the north of Scotland.

Who it does it for

Electricity gene rators, large electricity dem and customers and ultimately all electricity customers across GB.

How it supports net zero

C onnecting sources of renewable electricity gene ration to the nationa l grid and transporting that clean electricity to areas of demand.

How it is remunerated

Through economically- regulated returns, recovered from electricity generators

delivery of large capital investments.

SSEN Distribution

What it does

O wns, operates and maintains the electricity distribution networks in the north of Scotland and central southern England.

Who it does it for

For the homes, businesses, generators and service providers that are connected to, or are seeking a connection to, its distribution networks and, ultimately, all electricity customers across GB.

How it supports net zero

Through the timely connection of loc al renewables and the co- ordinated delivery to alleviate network constraints and allow for

How it is remunerated

Through economically regulated returns, recovered from customers and connecting parties. Additiona l earnings can be madetargeted, performance- related incentives.

OUR COMPLEMENTARY BUSINESSES

SSE Thermal

What it does

Generates electricity from thermal sources

electricity systems in GB and Ireland.

Who it does it for

For electricity suppliers, traders and other generators through the energy market; for National Grid; and ultimately all electricity customers across GB.

How it supports net zero

Produces progressively lower- carbon elec tricity and electricity system support to enable net-zero transition.

How it is remunerated

Through the wholesale ene rgy market,

C apacity Market and ancillary services market. Energy from waste facilities earn income from waste treatment.

Gas Storage

What it does

Owns and operates large underground caverns in which gas is stored.

Who it does it for

For gas suppliers or traders and ultimately for all energy customers across GB.

How it supports net zero

Gas storage has an important role in ensuring gas security of supply in GB, which is essential as gas rem ains a key com plement to renewables ene rgy.

How it is remunerated

By payments from third parties to reserve capacity in the storage facilities or through trading of gas.

SSE Business Energy (GB)

What it does

Provides a route to market for the output from SSE's renewables and thermal businesses, and provides the sustainable ene rgy services that customers increasingly seek.

Who it does it for

For a broad and diverse range of customers, from micro businesses to large corporations and public sector organisations in the GB market.

How it supports net zero

Through supplying low carbon energy and related sustainable solutions to business customers.

How it is remunerated

C om peting for customers and direct billing to them and third party intermediaries.

SSE Airtricity

What it does

Provides ene rgy and related services to househo lds, businesses and public sector organisations across the island of Ireland.

Who it does it for

Serves both home and business ene rgy customers (including public sector bodies) across the island of Ireland.

How it supports net zero

Supplies low carbon energy and supports the provision of sustainable ene rgy solutions to home and business customers.

How it is remunerated

C om peting for customers and direct billing to them; and through state- supported schemes.

SSE Renewables

What it does

Development, construction and operation, and ownership, of assets that gene rate electricity from renewable sources.

Who it does it for

For electricity customers across the GB and Ireland markets, who increasingly require zero carbon sources of energy.

How it supports net zero

Develops and gene rates zero carbon electricity

hydro schemes.

How it is remunerated

Through the wholesale ene rgy market, ancillary services market, C apacity Market, power purchase agreements, and government support schemes for renewable ene rgy.

SSE Enterprise

What it does

Provides innovative ene rgy and utility services solutions.

Who it does it for

Businesses and large public sector organisations.

How it supports net zero

By helping to develop a user- led ene rgy system that is low- carbon, loc al, secure

How it is remunerated

By winning bids and contracts and earning revenue from them.

Energy Portfolio Management (EPM)

What it does

Delivers value adding ene rgy trading services for business units in SSE and external customers.

Who it does it for

O ther SSE Business Units and third- party ene rgy operators.

How it supports net zero

low- carbon elec tricity.

How it is remunerated

Receives fees for providing ene rgy trading services to other parts of the Group.

SSE plc Annual Report 2020

91

MANAGING SSE'S PRINCIPAL RISKS

MANAGING SSE'S PRINCIPAL RISKS

The successful delivery of SSE's strategic objectives depends on effective identification, understanding and mitigation of its Principal Risks. SSE has an established Risk Management Framework and wider system of internal control (as described on page 4 and 5) to inform decision-making in support of creating value in a sustainable way.

In January 2020, SSE completed the disposal of its Energy Services business, thereby confirming its strategic focus on developing, building, operating and owning assets that support the transition to a net zero economy and its ambition to be a leading energy company in a low carbon world. This reshaping of SSE took place against a background of a number of key external factors which will set the operating context for SSE for years to come.

Key External Factors

First, the UK's Brexit process gave rise to significant economic, regulatory and political developments and uncertainties, many of which are believed to be unprecedented and are expected to have long-lasting consequences.

Second, the concept of restoring state control and ownership of infrastructure such as energy networks continued to feature in political and public debates and is likely to continue to do so for some time to come.

Third, the power cuts experienced in Great Britain on 9 August - 20 emphasised the extent to which society is dependent on a fully functioning electricity system and the extent to which stakeholders therefore expect the highest standards of delivery from infrastructure providers.

Fourth, the UK became the first major economy to pass a law to require it to bring all greenhouse gas emissions to net zero by 2050. This occurred amidst significantly enhanced stakeholder concern and activism in relation to climate change that is expected to increase further in the future.

Towards the end of 2019/20, the coronavirus outbreak reached the UK and Ireland, with immediate, and potentially long-term, human, social, economic and business effects that may shape the operating context for SSE for years to come and that require to be considered in any assessment of risk.

The reshaping of the SSE group following the sale of the Energy Services business andalong with the key factors described above formed the basis of the full review of SSE's Principal Risks that took place during the course of the financial year.

Board Considerations

Effective identification, understanding and mitigation of Principal Risks underpins the Board's approach to setting strategic objectives for SSE and informing strategic decision making. The Board aims to consider all material influencing factors and key external trends in the energy market, including those relating to climate change, security of energy supply and technological developments and aims to do so in a way that reflects the expectations of SSE's key stakeholder groups. These material influencing factors also impact the nature and extent of risks the Board is willing to take in order to meet these objectives, and related mitigation strategies adopted by the Group. Material changes in the nature and potential impacts of SSE's Group Principal Risks are continuously assessed with appropriate mitigations implemented where necessary

Overseeing Risk

The Group Executive Committee and its sub-Committees have responsibility for overseeing SSE's Principal Risks. During the third quarter of SSE's financial year, an assessment of each Principal Risk is completed by the assigned oversight committee. This assessment requires committee members to provide commentary on contextual changes to the Risks and whether they consider them to havebecome more or less material during the year. Consideration is also given to potential emerging risks and whether or not any of those identified have the potential to become a Principal Risk to the business in the medium to long term.

These responses are then consolidated into reports, one for each Principal Risk, which are presented back to the committees along with the results of provisional viability testing and analysis of relevant, current management information and key information relating to Business Unit Principal Risks and Controls. These reports form the basis for the Committees to discuss and confirm risk trend (more, less or equally material), overall effectiveness of the risk control and monitoring environment, and whether any additional control improvement actions are required. This is an inclusive and iterative process that results in considered and objective outputs and a robust assessment of Principal Risks.

The outputs from these committee assessments are then presented to the Group Executive Committee for full review, with any emerging risks or additional material changes resulting from this being proposed to the Board.

2019/20 Review Outcome

Following the 2019/20 annual review process, the number of Principal Risks to the Group has increased from 10 to 11 with the introduction of "Climate Change". Ensuring its strategy and goals are consistent with national and international efforts to tackleclimate change has long been at the heart of SSE's approach to business, but in light of the UK's legislation on net-zero emissions in 2019, it was recognised that stakeholders would expect climate change to be explicitly recognised as a Principal Risk. In addition, the pre-existing "Development and Change" risk has been redefined and renamed "Speed of Change" to ensure clarity relating to its focus. An emerging risk "Joint Venture and Partner Management" has also been identified. The importance of joint ventures and partner management is continuing to increase in SSE as its business units pursue their strategic and business objectives in association with other companies and organisations.

Important revisions have also been made to the descriptions of each of the other Principal Risks to take account of key developments and corresponding mitigations that were introduced during the year.

Coronavirus

The outbreak of coronavirus in the UK and Ireland in March 2020 resulted in the Board undertaking an additional assessment of each of the Principal Risks. As with SSE's established process for the assessment of Principal Risks, this was an inclusive and iterative exercise delivering considered and objective outputs.

Completed by the members of the assigned oversight committees, this further assessment required consideration of contextual changes to the Risks based on information collected from SSE's business units and corporate functions, highlighting any additional areas of concern and re-assessing the risk trends resulting from the impacts of coronavirus (more, less or equally material).

The output from this additional assessment was then considered by the Group Risk Committee before being presented to the Board for review and approval.

The overall conclusion of this additional assessment was that the human, social and economic impact of coronavirus has increased the prevalence of a number of the material influencing factors detailed against each of SSE's Group Principal Risks. In turn, these material influencing factors may increase the likelihood of occurrence of the Risks and in some cases may increase the materiality of their impacts should they occur. For example the dependence of critical national response activities on energy infrastructure has been highlighted during the pandemic, with SSE's over-riding priority being on ensuring the safe and reliable supply of electricity and essential energy services at local, regional and national level. At the same time, the social and economic impact of coronavirus has throwninto sharper relief the question of energy affordability - a matter that affects all parts of the energy sector, not just companies involved in direct supply to end customers.

Full details of the Group Principal Risks are detailed on pages 10 through to 20 of this report.

3

SYSTEM OF INTERNAL CONTROL

The various elements that make up SSE's Risk Management Framework are aligned to different levels of its Governance Framework as shown in the diagram. Outputs of the Strategic Framework - principally being the Group's objectives and the SSESET of values - form the basis for all activity within the Risk Management Framework.

The Governance Framework. Designed to ensure focus on the key components of high quality andeffective decision-making - clarity, accountability, transparency and efficiency. For further details please see page 96 of the Director's Report of the Annual Report and Accounts.

The Strategic Framework. This includes Group's strategic objectives, financial objective and sustainability goals and forms the basis for all activity within the Risk Management Framework. For further details please see pages 6 to 9 of the Strategic Report of the Annual Report and Accounts.

The Risk Management Framework. This Framework supports each Business Unit in managing its risks and helps to ensure that the Board can meet its obligations. The framework is underpinned by the fundamental principle that everyone at SSE is responsible for the management of risk.

The Assurance Framework. An integrated programme of audit and assurance activity that is independent of the day to day operations of the Business Units and Corporate Functions. It is made up of Internal Audit, Group Compliance, Large Capital Projects Services and Group Safety, Health and Environment.

The Standards and Quality Framework. Sets out the expected standards and guidelines to be followed in the delivery of the Group's core purpose.

SYSTEM OF INTERNAL CONTROL

RISK MANAGEMENT FRAMEWORK

RISK MANAGEMENT FRAMEWORK

Within SSE, we apply the fundamental principle that everyone who works for us is responsible for the management of risk.

Group Risk Management and Internal Control Policy:

The policy consists of clear principles and sets out roles and responsibilities which guide the risk management culture within SSE. These include:

• - That everyone at SSE is responsible for the management of risk. All employees must understand and manage all risks that threaten the achievement of objectives or compromise the SSE SET of values which, in turn, help define our corporate culture.

• - All decisions must be made with full consideration of the risks involved. This principle is reflected in SSE's Risk Appetite Statement and underpins our disciplined approach to decision-making.

• - The Board of Directors is accountable to SSE's customers, investors, employees and other key stakeholders, and has ultimate responsibility for the effectiveness of SSE's management of risk

Review of the Effectiveness of the System of Internal Control:

The Board is required to carry out a review of the System of Internal Control each year in accordance with the UK Corporate Governance Code ("the Code"). The Board has delegated responsibility for reviewing the System of Internal control to the Audit Committee. This covers all material controls including financial, operational and compliance controls.

To assist the Committee's review of the System of Internal Control, all elements are evaluated by key stakeholders. These evaluations are assessed by the Finance Director and a letter is provided to the Audit Committee summarising the work conducted in the year to improve the control environment and making arecommendation on the overall effectiveness of the System of Internal Control.

In addition, when undertaking the review, the Committee considers the Assurance Evaluations undertaken annually by the Managing Directors of each of SSE's Business Units.

Principal Risk Self Assessment

SSE's Group Executive Committee and relevant sub-committees are assigned oversight of each of SSE's Principal Risks, and a full review of these is carried out each year which includes the effectiveness and appropriateness of all relevant controls, detailed analysis relating to monitoring information and comprehensive scenario impact analysis. The deemed change in materiality of each risk is also included within these assessments.

The outputs from these committee assessments are then presented to the Group Executive Committee for full review, with any emerging risks or additional material changes resulting from this being proposed to the Board for approval.

Risk Appetite Statement

As required by the Code, SSE's Risk Appetite Statement, as defined by the Board, sets out clearly the nature and extent of risk that the Group is willing to take in order to achieve its strategic objectives, and key decision-making is aligned with this Statement.

Viability Assessment

Provision 41 of the Code requires Directors to make an annual statement of the longer term viability of the Group. To help support this Statement, over the course of the year the suite of severe but plausible scenarios has continued to be developed for each of SSE's Principal Risks. These scenarios are based on relevant real life events that have either been observed in the markets within which the Group operates or related markets globally. Examples include critical asset failure (forEnergy Infrastructure Failure); changes to key government energy policies (for Politics, Regulation and Compliance); and the impact of the loss of key systems (for Cyber Security and Resilience).

Scenarios that greatest have the potential to adversely affect SSE's ability to deliver its vision, strategy and purpose are stress tested against forecast available financial headroom. In addition to considering these in isolation, the Directors also consider the cumulative impact of different combinations of scenarios, including those that individually have the highest impact .

Key Risk Indicators

As part of the ongoing assessment of the Group's Principal Risks, Key Risk Indicators (KRIs) are reported to SSE's various oversight committees on a regular basis. These provide high level insight into key risk factors which are likely to influence SSE's exposure to these risks.

Business Unit Risk Approach

The Group Risk Management and Internal Control Policy allows flexibility for the Managing Directors of SSE's Business Units to tailor operational risk management to the specific requirements of their business areas.

Assurance Evaluations

The Managing Directors of each of SSE's Business Units carry out an annual Assurance Evaluation covering key management areas, including Risk Management. This provides an opportunity for each Managing Director to identify areas where controls could be improved or where assurance arrangements require to be strengthened. Planned improvements are then tracked with updates reported to the Chief Executive on a regular basis.

Risk Blueprint

SSE Risk Blueprint is a best practice guide to risk management that is available to anyonewho requires it within the Group. The Blueprint is reviewed on an annual basis in line with the review of the Group Risk Management and Internal Control Policy.

7