Our Group adopts an Enterprise Risk Management model (hereinafter ERM) that follows the international reference regulations and standards and integrates with the strategic and operative planning processes. The ERM model is designed to identify the potential events that may affect the business, identify and manage the connected risks within acceptable limits and provide awareness to Top Management.

Risk management activities have been centralized exclusively in the Enterprise Risk Management function. This structure constitutes the second control level of our Internal Control System and reports to the Chief Financial Officer[1], who reports directly to the Chief Executive Officer. The Function ensures independence from the Organization's business lines in the analysis and assessment of risks at the Group level.

We conduct a periodic review of the risk scenarios, not only when defining the Industrial Plan, but also upon the occurrence of significant changes in the internal and external context or new risk scenarios.

_{[1] Within the TIM Group's risk management system, the CFO in essence acts as Chief Risk Officer.}

ERM has identified and mapped the risks of our Group into 12 continuously evolving clusters⁽¹⁾.

The risks included in the ESG area are an integral part of the clusters identified.

_{(1) For ERM, risk is defined as a possible event that can jeopardize the achievement of the Industrial Plan targets or the proper functioning of business processes and that, if identified and assessed well in advance, can generate value. The level of low, medium, and high ERM risk is based on the impact on Industrial Plan targets and processes as well as the probability of the event occurring (Risk = Impact x Probability). The impact on Plan targets is assessed for current risk as Equity Free Cash Flow at risk.}