Management and monitoring of business risks

The Internal Control and Risk Management System (ICRMS), is the set of rules, procedures and organisational structures aimed at enabling the identification, measurement, management and monitoring of key business risks within the Group.


In particular, the ICRMS contributes to ensuring the efficiency and effectiveness of company procedures, the reliability of its financial information, its respect for laws and regulations as well as its Articles of Association and internal procedures. Thus, the ICRMS plays a central role in the company's organisation, contributing to the adoption of informed decisions consistent with risk appetite, as well as to the dissemination of proper knowledge of risks, legality and company values.

A functional model

for achieving goals

and creating value.

Specifically, the ICRMS reports to the Board of Directors (BoD), with the role of guidance and evaluation of adequacy, and involves the following individuals:


  • Directors in charge of the ICRMS, whose duties include establishing and maintaining an effective internal control and risk management system;
  • Control, Risk and Sustainability Committee (CRSC), on the basis of adequate preliminary activities, generally tasked with supporting the assessments and decisions of the Board of Directors relating to the internal control and risk management system, as well as those concerning approval of the periodic financial reports.

The levels of the ICRMS

The Internal Control and Risk Management System is implemented through three levels of control:


  • third level control exercised by bodies internal to the company, i.e. Internal Audit, or external, i.e. the Board of Statutory Auditors, the Independent Auditors, and the Supervisory Board under Legislative Decree 231/2001; 
  • second level control entrusted to specialised systems such as, the Risk Management function, Compliance, the Financial Reporting Officer, the Data Protection Officer, and Management Control;
  • primary control of line, entrusted to individual organisational units or Group Companies, carried out on the processes under their responsibility; responsibility for this control lies with Operations Management/Risk owner and is an integral part of every business process.

Corporate Governance Code

Corporate Governance Code