Internal control and risk management system

What is it and how does it work?

The Company adopted an internal control and risk management system, represented by a set of rules, conducts, policies, procedures and organisational structures, designed to ensure, by means of an appropriate process of identification, measurement, management and monitoring of key risks, that the company is run in a manner that is sound and proper and which is aimed at achieving the company’s objectives, with a view to create value for its shareholders in the medium-long term.

The internal control and risk management system contributes to ensure the safeguarding of corporate assets, the efficiency and efficacy of corporate processes, the reliability of information provided to corporate bodies and to the market, compliance with laws and regulations as well as with the Articles of Association and internal procedures.

In this respect, therefore, the internal control system, defined with the purpose of guaranteeing the reliability, accuracy, integrity and timeliness of financial information, must be considered as an integrated element and not a separate one, with respect to the general risk management system adopted by the Company.

This system is integrated into the more general organisational and corporate governance structures adopted by the Company, duly taking into account the existing national and international best practices and relevant reference models, also in light of the evolution of this subject matter.

In particular, the planning, implementation and monitoring activities of the internal control and risk management system defined by IGD are guided by the CoSo Framework method. The Company continuously plans and carries out activities regarding the development and fine-tuning of the system’s components, in order to achieve continuous improvement.

Components of the System

The components of the internal control and risk management system are represented by:

Control environment:

the organisational context in which the strategies and objectives are established, as too are the procedures with which business activities are structured and the procedures with which risks are identified and managed. This consists of many elements, including the Company’s ethical values, the skills and development of the workforce, the style of operational management and the procedures with which proxies, powers and responsibilities are assigned.

Risk assessment:

considered as the basic element of the system. IGD, in order to be equipped with tools that are more in line with the control and risk management needs required by its organisational complexity, status as listed company and business dynamics, defined and implemented an integrated risk management process, based on the internationally recognised standards in the field of Enterprise Risk Management (“ERM”).

Control activities:

defined in connection with regulations, policies, guidelines and procedures that can help to ensure that risk treatment decisions are made in an appropriate manner.

Information and communication:

necessary at all corporate levels to identify, assess and implement risk treatment decisions as well as to carry out planned control activities in consideration of the objectives defined. The correct functioning of the Internal Control and Risk Management system is based on an active sharing of the duties between the company division involved.

Periodic monitoring:

of the effectiveness of the system and of its ability to reduce the risks to within the defined limits, consistent with the guidelines expressed by the relevant supervisory bodies.

Read more about the components of the Internal Control and Risk Management System on the Report on Corporate Governance and ownership structure 2022 (1 MB – pdf).

Existing characteristics of the system in relation to the financial information process

With reference to the internal control system implemented in relation to the financial information preparation process, IGD, in the previous financial years, began a procedure to adapt to the provisions of Law 262/05, designed to document the administrative and accounting control model adopted as well as to carry out specific checks on identified controls, so as to support the certification process of the Officer in charge of drawing up corporate financial reports.

The above mentioned administrative and accounting control model represents the set of internal tools and procedures adopted by the Company for the purpose of achieving corporate objectives regarding the reliability, accuracy, integrity and timeliness of financial information.

Roles and corporate bodies involved

The internal control and risk management system is based on the clear definition of the roles involved in the different phases of the planning, deployment, monitoring and updating the system over time. The Roles and corporate bodies involved are:

The Board of Directors;
The Director in charge of establishing and maintaining an effective internal control and risk management system;
The Control and Risk Committee, an element of the Board of Directors established in accordance with the Corporate Governance Code, whose duty is to support, with adequate preparatory work, the assessments and decisions made by the Board of Directors with regard to the internal control and risk management system, as well as the decisions made regarding the approval of periodic financial reports;
The Person in charge of internal audit, responsible both for verifying that the internal control and risk management system is adequate and working correctly and for coordinating the Enterprise Risk Management (“ERM”) process;
The Officer in charge of drawing up corporate financial reports, who by law is responsible for establishing appropriate administrative and accounting procedures for the preparation of financial information documentation;
The Board of Statutory Auditors, also inasmuch as it is the committee for internal control and financial audit, which supervises the efficacy of the internal control and risk management system;
The other corporate functions and roles with specific tasks regarding internal control and risk management, organised according to size, complexity and risk profile of the undertaking, including, for example, the Compliance Committee established in accordance with Legislative Decree 231/2001.