Internal control and risk management system

The internal control and risk management system is a key element in the overall Company corporate governance system; it comprises the set of rules, procedures and organisational structures aimed at the effective and efficient identification, measurement, management and monitoring of the main risks in order to contribute to the sustainable success of the Company.  

This system is subject to regular assessment and review in relation to developments in company operations and reference context.

Within the scope of the internal control and risk management system, the Company set up the Key Functions (audit, risk management, compliance and actuarial functions) that:

  • are separated from an organisational point of view,
  • report directly to the Board of Directors and
  • operate under the coordination of the Director appointed by the Board of Directors to oversee the internal control and risk management system, identified as the Chairman of the Company, in accordance with the Corporate Governance Code. 

The Key Functions in the Company are allocated to the Audit Function, the Chief Risk Officer (and the Risk Department), the Compliance and Anti-Money Laundering Function and the Actuarial Function respectively, and carry out the activities for which they are responsible for the Company itself as well as for the Group companies that outsource these functions to it, on the basis of appropriate outsourcing agreements. 

The Managers of the Key Functions submit to the company bodies on an annual basis the plan of activities and every six months a report on the activities carried out, the assessments made and the related results.

The main duties and responsibilities of the Key Functions are set out in the related sections. 

As part of the Compliance and Anti-Money Laundering Function, the anti-money laundering function has the duty to continuously verify that the business procedures are in line with the goal of preventing and combating the violation of external provisions (laws and regulations) and internal regulations on the prevention of money laundering risk. 

Other bodies and parties take part in the internal control and risk management system of the Company, including: the Board Committees, the Board of Statutory Auditors, the Supervisory Board established pursuant to Legislative Decree 231/2001, the Financial Reporting Officer, the Group Data Protection Officer and the Top Management.

Control activities cannot be assigned exclusively to some specific offices or to supervision and control bodies. All of the operating structures need to play their own role in verifying the transactions carried out, based on different levels of responsibility.