Page 22 - Consolidated Non Financial Statement
P. 22

Banca Ifis



                                                                                  | 2020 Consolidated Non-Financial Statement
           Internal control and risk management system

           The Banca Ifis Group's internal control system consists of rules, procedures and organisational structures aimed at
           ensuring, among other things, adherence to the business strategies, the effectiveness and efficiency of processes, and
           compliance of operations with the law, supervisory regulations, and the policies, procedures and codes of conduct
           adopted by the Group. All business operations are subject to audits by the functions or business Areas that own the
           various processes and operations (line controls or first line of defence), as well as by second line of defence functions
           (Risk Management, Compliance and Anti-Money Laundering) and third line of defence functions (Internal Audit).

                                                                                                      [GRI 102-11]
           Risk Management identifies the risks the Parent and the Group companies are exposed to and measures and monitors
           them on a regular basis through specific risk indicators, planning potential actions to mitigate material risks. The goal is
           to provide a holistic and comprehensive view of the risks the Group is exposed to, ensuring an adequate reporting to
           governance bodies. Risk Management regularly reports to corporate bodies on its operations through the Dashboard as
           well as, if required, to the Bank of Italy and Consob (Italy's stock market watchdog).

           The Group's overall risk governance and management structure is governed by the Risk Appetite Framework and the
           relevant  documents,  which  are  constantly  updated  based  on  the  evolution  of  the  Group's  strategic  framework.
           Concerning  the  changes  in  the  Group's  scope,  Banca  Ifis  promptly  aligns  and  integrates  risk  governance  and
           management methods while taking into account the peculiarities of each business.


           Specifically, Banca Ifis has prepared a Taxonomy of Risks describing how it identifies the existing and/or potential risks
           the Group could be exposed to in pursuing its strategic goals as well as the tools for preventing and mitigating each type
           of risk.

           The Parent carries out an initial identification of risks based on the list of the minimum risks laid down by supervisory
           regulations, adding any additional material risks emerged during the analysis of the business model and reference
           markets in which the Group's companies operate, the strategic outlook, operational methods, and the characteristics of
           loans and funding sources.


           Identifying risks and regularly updating the relevant Taxonomy of Risks is the result of the joint work of second line of
           defence functions (Risk Management, Compliance, Anti-Money Laundering) and third line of defence functions (Internal
           Audit), which meet once a year to discuss whether to introduce new risk events and/or review the assessment of potential
           risks  based  on  the  risk  management  outcomes  of  the  previous  year.  The  Supervisory  Body  is  responsible  for
           identifying  and  adequately  monitoring  the  existing  or  potential  risks  as  per  Italian  Legislative  Decree  no.
           231/2001 relative to actual business processes, constantly updating the mapping of risk areas and “sensitive processes”.

           The  Control  and  Risks  Committee,  composed  of  members  of  the  Board  of  Directors  selected  from  among  non-
           executive Directors, most of whom are independent, is responsible for supporting the Board of Directors in making
           assessments and decisions concerning the internal control and risk management system based on preliminary analyses.

           The  audit  work  performed  by  the  Compliance  function  (systematic  audits  and  inspections) is  based  on  the  plans
           approved by the Board of Directors and seeks to evaluate the effectiveness of the required, proposed or implemented
           organisational measures intended to manage the risk of non-compliance. Therefore, these audits apply to all areas for
           which said risk exists. The audit findings are formally presented in reports shared with the relevant business structures,
           which must provide feedback on the remedial actions identified and the relevant implementation time line. The function
           monitors compliance with these requirements and regularly reports to the corporate bodies through the Dashboard as
           well as, if required, to the Bank of Italy and Consob.

           Concerning  the  regulations  for  which  there  is  specialised  supervision  (e.g.:  occupational  safety  or  personal  data
           processing), the responsibilities of the Compliance Function can be adjusted, for instance by making the Organisational
           Unit responsible for coordinating methods, so that it can provide the Corporate Bodies with a comprehensive view of the
           exposure  to  the  risk  of  non-compliance.  In  any  case,  Compliance,  at  a  minimum  and  together  with  the  relevant
           specialised structures, is responsible for defining non-compliance risk assessment methods, identifying the relevant
           procedures, and reviewing whether these are adequate.


           14
   17   18   19   20   21   22   23   24   25   26   27