Risk and Opportunity Management

Prysmian’s ERM aims to identify to all types of potentially significant risks and opportunities for the Group, as outlined in its Risk Model — shown in the figure below —, which classifies the internal and external risks of Prysmian’s business model based on five families:

ERM process requires Prysmian Management to use of a clearly defined, common method to assess the Group exposure, to specific risk and opportunity events, measured in terms of impact, likelihood and adequacy of the existing level of risk management, meaning:

• Economic-financial impact on expected EBITDA or cash flows, net of any insurance coverage and countermeasures in place, and/or impact on reputation and/or on operational efficiency/continuity and sustainability, measured on a scale from “minor” (1) to “very high” (4);
• Likelihood, probability that a particular event may occur, measured on a scale from “remote” (1) to “probable” (4);
• Risk Management Capability, meaning the maturity and effectiveness of existing risk management systems and processes (including controls), measured on a scale from “adequate” (green) to “inadequate/non-existent” (red).

Following the identification and assessment of risks and opportunities, Group exposure is analysed taking into account the future risk and opportunities evolution and outlook (i.e., the possibility that exposure increases, remains constant or decreases over the period considered).

The outcome of the risk assessment is then represented on a 4x4 heatmap, which, by combining the variables in question, provides a clear overview of the most significant risk events.

In particular, sustainability and climate related risks and opportunities are also assessed and reported, taking into account the Group’s latest update of its double materiality matrix for the purposes of the Integrated Report.

The overview of the Group’s risks and opportunities allows the Board of Directors and Top Management to evaluate the Group’s risk appetite and identify the risk and opportunity management strategies to adopt, by assessing and prioritising the types of risk for which it is deemed necessary to implement, improve or optimise mitigation actions and those for which it is sufficient to monitor the exposure over time.

To allow a full coverage of the risks and opportunities to which Prysmian is exposed, risk and opportunity analyses are also carried out through specialised deep dives (e.g. new emerging risks, operational risks, climate change risks). Below are examples of risk & opportunity deep dives performed in Prysmian.

Operational risks - focus on Project risk

At Prysmian, the assessment of operational risks is an integral part of the Enterprise Risk Management activities. Departments, Functions and Business Units at all levels, involved in producing and/or delivering products/projects/services to clients, are identified as Risk Owners, being primary responsible for timely identifying, assessing, managing and monitoring risks in day-to-day operations and throughout each product/project/service life cycle.

In particular, to effectively manage risks related to the Business Unit Transmission, Prysmian has implemented a systematic Project Risk Management Process, integrated in Prysmian’s Project Management activities of Transmission segment, during the whole project lifecycle (from bidding to delivery phases). Project Risk Management System is aimed at ensuring expected projects performances, by effectively managing risks during the whole project lifecycle and timely identifying mitigation actions, also promoting proactive and transparent behaviours by all actors involved in risk assessment.

Risk assessment activities, as well as risk management, mitigation and monitoring actions are clearly assigned based on each function’s area of competence / expertise, including escalation mechanisms to Top Management and relevant Committees depending on risk evolution and exposure.

Climate Change risks

In response to global trends related to climate change, Prysmian has developed analysis on the Group exposure to climate-related risks and opportunities. This deep-dive analysis, aligned with key international standards and frameworks (e.g., TCFD, IPCC, IEA), enables the identification, assessment, and management of climate-related risks. Prysmian considers both physical risks and transition risks and opportunities.

The analysis of climate change-related risks and opportunities is fully integrated into the Group’s centralized Enterprise Risk Management system - addressing multi-disciplinary areas and covering the Group with a company-wide perspective - with the aim of considering all relevant categories of risks and opportunities, including those related to climate change, and ensuring continuous alignment between risk assessments and the Group’s short-, medium-, and long-term strategic objectives.

To explore and assess the resilience of its business to climate change, Prysmian periodically conducts an analysis on physical and transition risks involving various climate-related scenarios, including a 2°C or less temperature increase, in order to model how the impact and likelihood of the material risks and opportunities identified might change from time to time. In particular, the Group considers two types of models: IPCC RCP scenarios for the physical risk assessment (IPCC RCP 8.5; IPCC RCP 2.6) and IEA Scenario for transition risks and opportunities (IEA STEPS; IEA APS; IEA NZE).

The climate-related risk and opportunity analysis is performed over three different time horizons:

• Short-term (1 year);
• Medium term (2-5 years);
• Long term (more than 5 years).

Climate risk and opportunity analysis is carried out across the Group’s own operations as well as throughout the value chain, both upstream and downstream. The analysis is performed considering all types of climate related risks and opportunities as per TCFD Classification including physical risks (acute and chronic risks) and transition risks and opportunities (e.g., policy & legal / regulations, technology, market, reputation).

By analyzing various climate scenarios, Prysmian assesses the adequacy of its strategy in terms of resilience against physical risks, deriving from climate change as a cause of acute events or from chronic changes in climate patterns, and against transition risks, relating to a transition to a low-carbon economy.

Below are Prysmian's material climate-related risks and opportunities

Emerging risks

To ensure that the ERM process is capable of identifying and managing all risks to which Prysmian may potentially be exposed during its business activities, a dedicated focus on emerging risks is conducted as part of the risk management activities.

The identification of emerging risks is carried out through periodical interviews with Top Management and Business functions, as well as through the analysis of key reference sources such as reports and market studies which provide insights into major forward-looking trends relevant to Prysmian's business context.

Below are some examples of emerging potential risks examined in the medium-long term:

• Escalating tariffs and trade war - Tariffs and trade policy changes can potentially impact global markets, disrupting supply chains and increasing the cost of doing business globally
• AI-Enhanced Cyber Attacks – Potential increase of the effectiveness of Cyber-attacks resulting from the ease use of AI-assisted tools for code generation, attack automation, phishing and other attempts by malicious actors. This risk can potentially generate reputational impact (e.g., mining stakeholders’ trust), operational impact (e.g., business interruptions) and /or economical impact (e.g., additional costs for attack responses).
• Misuse of AI - Potential use by employees of unauthorized AI tools and/or applications outside of the Group approved framework, which can lead to compliance issues, loss of intellectual property and/or reputational damage.

Prysmian is committed to the continuous improvement of its Risk Management system. As part of this commitment, the Group's Enterprise Risk Management (ERM) process has been subject to third-party assessments and audits for multiple purposes.

Between 2023 and 2024, Prysmian underwent an Enterprise Risk Maturity Assessment conducted by an independent third party to evaluate the maturity level of the Group’s risk management system against leading international frameworks, identify key areas for improvement based on the desired target state, incorporate industry best practices, and benchmark the system against peer organizations. Following the assessment, Prysmian implemented of improvement actions, in alignment with its continuous improvement approach.

In 2024 - 2025 the Risk Management Process was also included in audit activities carried-out by the Group Quality Department, external certification bodies (e.g., as part of the ISO 9001 certification renewal process) and other external parties (e.g., external audit with focus on Project Risk management for Transmission Business Unit).