SSE : Group Risk Report

1SSE PLC Group risk report 2022/23

2

Throughout 2022/23 SSE has met and managed unprecedented challenge in the markets in which it operates. As highlighted in the Chair's Statement on pages 4 and 5 of the Strategic Report of the Annual Report and Accounts, issues such as safety programmes, a•ordability, sectoral risks (such as extremely volatile commodity

prices and inflationary pressures), extreme weather and climate change have featured heavily in strategic risk discussions.

While managing these external challenges, SSE has continued to make substantial progress on the execution and delivery of it's Net Zero Acceleration Programme (NZAP), with in excess of £2.8bn of capital investment including acquisitions delivered during the course of the year. Supporting

concerns, formed the basis of the full review of SSE's Principal Risks that took place during the financial year.

SSE's risk management process is comprised of four main stages summarised in the diagram below. Continued maturity and refinement of our risk management framework ensures that it remains aligned with SSE's strategy and this year included the review and redrafting of the Group Risk Management Policy which is available to view on sse.com.

SSE's sector review on pages 12 to 15 of the Strategic Report of the Annual Report and Accounts provides more detail on the range

of external factors that influenced the risk exposures to the Group over the course of

trends in the energy market, including those relating to climate change, technological developments and government policy and aims to do so in a way that reflects the expectations of SSE's key stakeholder groups.

These material influencing factors also have an impact on the nature and extent of risks the Board is willing to take to meet these objectives, and related mitigation strategies adopted by the Group. Material changes in the nature, proximity and potential impacts of SSE's Group Principal Risks are regularly assessed by the oversight committees and the Business Unit executive committees with appropriate mitigations implemented where necessary.

Overseeing risk

System of Internal Control

The elements that make up the System of Internal Control are:

a just transition through continuing to create options for investment and growth by boosting energy security, supporting communities and creating green jobs, coupled with its balanced mix of businesses, uniquely positions SSE for the transition to net zero and resilience against volatility. These factors along with the ongoing geopolitical crisis in Ukraine having a significant impact on energy a•ordability and security of supply

the year.

Board considerations E•ective identification, understanding and mitigation of Principal Risks underpins the Board's approach to setting strategic objectives for SSE and informing strategic decision making (please see page 124 of the Directors Report of the Annual Report and Accounts for SSE's decision making context). The Board aims to consider all material influencing factors and key external

The Group Executive Committee and its subcommittees (as detailed on page 122 of

the Directors Report of the Annual Report and Accounts) have responsibility for

overseeing SSE's Principal Risks. During the third quarter of SSE's financial year, an assessment of each Principal Risk is completed by the assigned oversight committee. This assessment requires committee members to provide commentary on contextual changes to the risks, consider whether over the course of the year the risks have become more or less material based on impact and likelihood

For further details please

of the Annual eport and Accounts.

activity that is independent of the day- to-day operations of the Business Units and corporate functions. It is made up of Internal Audit, Group Compliance, Large Capital Projects Services and Group Safety, Health and Environment

• Standards and Quality Framework. Sets out the expected standards and guidelines to be followed in the delivery of the Group's core purpose.

Principal Risk assessment processes

and to confirm e•ective mitigations are in place for controlling risks. Consideration is also given to emerging risks and whether any of those identified have the potential to become a Principal Risk to the business in the medium to long-term.

Individual risk

reviews

3SSE PLC Group risk report 2022/23

These responses are then consolidated into reports, one for each Principal Risk, which are presented back to the committees along with the results of provisional viability testing and analysis of relevant, current management information and key information relating to Business Unit Principal Risks and controls. These reports form the basis for the committees to discuss and confirm the risk trend (more, less or equally material), overall e•ectiveness of the risk control and monitoring environment, and whether any additional control improvement actions are required. This is an inclusive and iterative process that results in considered and objective outputs and a robust assessment of the Principal Risks. The outputs from these committee assessments are then presented to the Group Executive Committee for full review.

4

Group Risk Management Policy:

The policy sets out the minimum standards, roles and responsibilities and provides clear principles which guide the risk management culture within SSE. These include:

• That everyone at SSE is responsible for the management of risk. All employees must understand and manage all risks that threaten the achievement of objectives or compromise the SSE SET of values which, in turn, help define our corporate culture.
• All decisions must be made with full consideration of the risks involved. This principle is reflected in SSE's Risk Appetite Statement and underpins our disciplined approach to decision-making.
• The Board of Directors is accountable to SSE's customers, investors, employees and other key stakeholders, and has ultimate responsibility for the effectiveness of SSE's management of risk.

Review of the Effectiveness of the System of Internal Control:

The Board is required to carry out a review of the System of Internal Control each year in accordance with the UK Corporate Governance Code ("the Code"). The Board has delegated responsibility for reviewing the System of Internal control to the Audit Committee. This covers

all material controls including financial and compliance controls, in addition to the financial reporting process.

To assist the Committee's review of the System of Internal Control, the different elements are evaluated by relevant key stakeholders. These evaluations are assessed by the Finance Director and a letter is provided to the Audit Committee summarising the work conducted in the year to improve the control environment and making a recommendation on the overall effectiveness of the System of Internal Control.

Principal Risk Self Assessment

SSE's Group Executive Committee and relevant subcommittees are assigned oversight of each of SSE's Principal Risks, and a full review of these is carried out each year which includes the effectiveness and appropriateness of all relevant controls, detailed analysis relating to monitoring information and comprehensive scenario impact analysis. The deemed change in materiality of each risk is also included within these assessments.

The outputs from these committee assessments are then presented to the Group Executive Committee for full review, with any emerging risks or additional material changes resulting from this being proposed to the Board for approval.

Risk Appetite Statement

As required by the Code, SSE's Risk Appetite Statement, as defined by the Board, sets out clearly the nature and extent of risk that the Group is willing to take in order to achieve its strategic objectives, and key decision-making is aligned with this Statement.

Viability Assessment

Provision 31 of the Code requires Directors to make an annual statement of the longer term viability of the Group. To help support this Statement, over the course of the year a suite of severe but plausible scenarios has been developed for each of SSE's Principal Risks. These scenarios are based on relevant real life events that have been observed either in the markets within which the Group operates or related markets globally. Examples include critical asset failure to generation assets (for Energy Infrastructure Failure); changes to key government energy policies (for Political and Regulatory Change); and the physical impacts of climate change on distribution assets through more frequent and increasingly severe storm events (for Climate Change).

Key Risk Indicators

As part of the ongoing assessment of the Group's Principal Risks, Key Risk Indicators (KRIs) are reported to SSE's various oversight committees on a regular basis. These provide high level insight into key risk factors which are likely to influence SSE's exposure to these risks.

Business Unit Risk Approach

The Group Risk Management Policy allows flexibility for the Managing Directors of SSE's Business Units to tailor operational risk management to the specific requirements of their business areas while meeting the minimum standards required.

Assurance Evaluations

The Assurance evaluations are undertaken annually by the Managing Directors of each of SSE's seven Business Units. These assurance evaluations consider each framework of the system of internal control form a Business Unit perspective and include any planned improvements to enhance controls. These improvements are tracked, with updates reported to the executive-level Group Risk Committee on a regular basis.

Risk Blueprint

SSE Risk Blueprint is a best practice guide to risk management that is available to anyone who requires it within the Group. The Blueprint is reviewed on an annual basis in line with the review of the Group Risk Management and Internal Control Policy.

In addition, when undertaking the review of the effectiveness of the System of Internal Control, the Committee considers the assurance evaluations undertaken annually by the Managing Directors of each of SSE's seven Business Units.

Scenarios are stress tested against forecast available financial headroom and in addition to considering these in isolation, the Directors also consider the cumulative impact of different combinations of scenarios, including those that individually have the highest impact.

Risk Management

Framework

5SSE PLC Group risk report 2022/23

6