In a context characterised by a high level of operational and regulatory complexity and the need to compete more and more efficiently in the reference markets, risk management and the related control systems take on a central role in the decision-making processes, with a view to creating long-term value to the benefit not only of the shareholders, but also in consideration of the interests of the other stakeholders of relevance to the company.

The Poste Italiane’s Internal Control and Risk Management System (SCIGR) is a combination of tools, procedures, rules and organisational structures, designed to ensure that the business is managed in a way that is sound, fair and consistent with the corporate objectives, and to pursue sustainable success, through an adequate definitions of players, duties and responsibilities of the various corporate bodies and control functions as well as through the identification, measurement, management and monitoring of the main risks, and through the structuring of adequate reporting lines to expedite the flow of information.

This system is a fundamental element of Poste Italiane’s corporate governance system, as it enables the Board of Directors to guide the Company in its pursuit of long-term value creation, defining the nature and level of risk compatible with its strategic objectives, and including in its assessments all elements that may be relevant to sustainable success. In particular, in line with the main leading practices that place particular emphasis on the integration of sustainability into strategies, risk management and remuneration policies, Poste Italiane’s SCIGR aims to contribute to the Company’s sustainable success by defining ESG roles and responsibilities, information flows between the players involved in the internal control system and towards corporate bodies, and the methods of managing the related risks. Moreover, in order to achieve this objective, the Company has decided to promote dialogue with the relevant stakeholders (Multistakeholder Forum153), in order to ensure a constant exchange of views on business strategies and their implementation.

In line with statutory requirements and the related best practices, the SCIGR consists of three levels of control and involves a range of actors within the organisation. The first-level control units identify, assess, manage, and monitor those risks for which they are responsible, and in respect of which they identify and implement specific actions aimed at ensuring operational compliance. The second-level control units, whose role consists primarily of defining risk management models and carrying out monitoring activities, play a key role in the integration and overall functioning of the Internal Control and Risk Management System. The third-level controls, managed at Poste Italiane by the Internal Auditing function, provide independent assurance on the adequacy and effective operation of the first and second levels of control and, in general, on the SCIGR.

Risk Management model

Poste Italiane has adopted a Risk Management model based on the Enterprise Risk Management (ERM) framework, with the aim of providing an organic, integrated vision and an effective, standardised response to the risks to which the Group is exposed. The outcomes of the risk assessment process carried out according to the ERM framework contribute to the analyses performed for the assessment of the Group’s financial materiality as part of the dual materiality analysis.

The Group Risk and Compliance function (“RCG”) is responsible for ensuring that these objectives are met. This is primarily done through the definition of an integrated risk management process that relies on the coordinated involvement of all the actors in the Internal Control and Risk Management System, above all the specialist forms of second-level control, the use of standardised models and metrics based on Group-wide criteria, and the design and implementation of shared tools for assessing and managing risk.

In this latter regard, the Group implemented an integrated Governance, Risk and Compliance (GRC) platform in 2018 to support the integrated risk management process. The IT tool allows the analysis and management of, inter alia, operational risks, in accordance with Legislative Decree no. 231/01, pursuant to Law 262/05, strategic, ESG, reputational, fiscal, physical security, Compliance, privacy and corruption risks as well as compliance with the rules applicable to financial and payment services. In addition, new application modules were implemented in 2025, in particular aimed at assessing double materiality, integrating the results of short-term forecast analysis on the relevant scenarios reflected in the Plan and Budget forecasts, as well as evolutionary changes by extending the functionalities already in use in the Group.

This is the tool that has enabled the Group to maximise integration of the risk management process, ensuring that risk assessment methods are shared across all the specialist second-level control functions. At the same time, it has improved communication with senior management and corporate bodies and between the various control functions, minimising the risk of inadequate or redundant information.

Poste Italiane’s main risks

The Poste Italiane Group ensures that the conduct of the business is consistent with the objectives defined by the Board of Directors, taking into account the risks that may affect the achievement of those objectives. The main risk categories associated with the Poste Italiane Group’s activities are identified in the Group Risk Model.

Poste Italiane periodically conducts risk assessment activities in a structured manner in order to identify and assess the main risks that may significantly affect the achievement of business objectives. In this sense, the main factors influencing the Group’s strategies include not only changes related to the domestic context, but also developments in the political, social and macroeconomic framework of reference, in view of the country’s general objectives for a sustainable economic recovery, as well as the current geopolitical context, characterised by strong instability.

The Group’s main risks, their respective risk model categories and management methods are outlined below.

The Poste Italiane Group’s results depend on the macroeconomic context and, in particular, the national economy - Italy being the country in which the Group operates almost exclusively - and are adversely affected by any economic recession, market crisis or period of instability. A prolonged situation of economic uncertainty may lead to stagnation or a decrease in demand for one or more of the different business areas in which Poste Italiane and the Group operate. This, in turn, could result in a decrease in volumes, prices and profitability levels, with possible negative effects on the Group’s financial condition and operating results.

Main management methods

Poste Italiane constantly monitors developments in the geopolitical, social, macroeconomic and regulatory context that could have an impact on the Group’s business and operations. To this end, the Group carries out in-depth analyses and appropriate strategic planning in order to mitigate the impacts of the unstable macroeconomic environment and to ensure Poste Italiane’s financial and operational soundness over the long-term.

Moreover, the dynamics of macroeconomic variables are constantly monitored in order to verify their consistency over time with the assumptions made underlying the Strategic Plan. These activities are also carried out through the analyses of the Group’s Research Centre within BancoPosta Fondi, which periodically conducts in-depth studies on the national and global macroeconomic scenario, also with a view to supporting the adoption of medium/longterm strategic choices.

In view of the Company’s decisive role for the economic, social and productive fabric of Italy, also due to the provision of the Universal Postal Service, Poste Italiane relies on around 120,000 employees. This organisational complexity, mainly determined by the requirements in the mail business in terms of geographical area coverage and delivery quality standards, exposes the Group to various risks, such as:

  • risk of workplace accidents to employees or associates as a result of operational activities (e.g. collecting, transporting and sorting parcels and letters and delivering products by motor vehicles);
  • labour disputes, for example, related to labour interposition and social security disputes related to voluntary and compulsory contribution payments;
  • risk that any strikes or work stoppages (albeit in compliance with the law) could have repercussions, such as blockages or slowdowns, on the implementation of the main project initiatives envisaged in the Strategic Plan, on the level of services offered to customers, on the reputation and, therefore, on the Group’s financial results.

Main management methods

Poste Italiane attaches great importance to the people who work within the company and, for this reason, aims to invest significantly in initiatives that aim to improve the working conditions of its employees and support their motivation, promoting information and awareness campaigns in order to support people’s physical and mental well-being, and create an inclusive working environment in order to neutralise inequalities.

The Poste Italiane Group considers the protection of health and safety at work a fundamental element, which all employees must be inspired by in carrying out their daily activities. The Company is constantly committed to adopting all the necessary measures to reduce accidents, occupational injuries and illnesses by fostering the establishment of a corporate culture based on safety in all organisational layers, and by promoting the constant improvement of occupational health and safety management systems also through the continuous assessment of risks and the updating of related rules and procedures.

Poste Italiane has also set up corporate functions dedicated to Welfare that propose and suggest intergenerational, modular and solidarity-based programmes, tools and strategies for the well-being of personnel and, in general, for collective balances. As part of its Welfare policies, the Group also supports care and prevention for its employees, their families and pensioners through the Poste Centro Medico health facility.

Finally, sustaining a constant relationship of information and consultation with the Labour Unions (OO.SS.) on issues of common interest is an essential priority for the Group, which is committed to ensuring the protection of the rights of its workers, safeguarding freedom of association, and enhancing collective bargaining at every level. In particular, through regular meetings with the trade unions, Poste Italiane maintains constant dialogue with workers’ representatives, with the aim of guaranteeing and preserving the well-being and protection of workers’ rights. Therefore, agreements have been reached in accordance with the National Collective Labour Agreement (CCNL) and the Consolidated Law on Representation, which aim to foster the creation of a positive company climate, ensuring compliance with current legislation. The continuous dialogue and the effective and constructive relationship between the Company and the Social Partners constitute a distinctive and significant element in the Group’s growth and evolution strategy, also preventing conflicts and strikes from arising.

Finally, Poste Italiane has endowed itself with organisational functions which, also through consultancy activities and specialist support to the functions involved, ensure the monitoring of pre-litigation and labour litigation issues and guarantee the drafting and dissemination of guidelines for the effective management of litigation activities carried out at a territorial level, verifying their application.

The increase in the level of detail and complexity of legal and regulatory compliance required by the authorities for their areas of competence requires a growing cultural and operational change within companies. The Group, which operates in several sectors including postal services, integrated communication services, logistics, energy, financial services and insurance, is subject to numerous laws and regulations, both sector-specific and in the areas of taxation, anti-money laundering, privacy, antitrust and the environment. In addition, by virtue of the exclusive assignment to Poste Italiane of the Universal Postal Service, risks of non-compliance related to specific regulations and the existing contract entered into with public authorities may arise. In particular, in view of the complexity and heterogeneity of the Group’s operations and the obligations arising from the management of services of general economic interest, Poste Italiane could run the risk of not responding in a timely manner to the demands of legislators and regulators (e.g., on governance structures, responsible finance, artificial intelligence, etc.). This could result in eventual breaches of applicable regulations (or allegations of breaches) making the Company and/or the Group the recipients of fines, corrective actions and/or business suspension requests, which could adversely affect the Group’s reputation, revenue, operating results and/or financial condition.

With particular regard to the legislation on artificial intelligence, as defined by Law no. 132 of 23 September 2025, in force since 10 October 2025, which transposes EU Regulation 2024/1689 (AI Act), a compliance project has been launched aimed at ensuring the Group level fulfils the requirements of the regulations, including equipping itself with a specific system for assessing and managing foreseeable risks to health, safety and fundamental rights by integrating this system into the broader risk management system model. During the project, it was also verified that no systems prohibited by the aforementioned EU Regulation had been introduced.

Main management methods

Given the operational complexity of Poste Italiane and the numerous sectors in which the Group operates, as well as the legal and reputational impacts associated with the risk of non-compliance, the Company has defined an integrated compliance process at Group level. This process is coordinated by a dedicated organisational unit of the RCG function, with the aim of overseeing - in a structured manner for each level of the company and in a manner appropriate to each sector of activity - the risks of non-compliance to which the Group is exposed, thereby fully implementing the principles of integrity, transparency and legality.

In particular, the Group’s Integrated Compliance process is based on a structured and coordinated approach to compliance that combines multiple needs, through the integration and rationalisation of existing risks and controls, also taking into account legal and reputational impacts and the risk-based approach. As part of said process, Poste Italiane also takes part in technical and working groups on regulatory developments, in order to ensure analysis of changes in the regulatory framework, guaranteeing its correct implementation, and represent the Company’s position on these issues to national and international bodies, in order to support the Company’s business. In addition, the Group constantly analyses regulatory developments of interest, assessing their applicability to business operations. This analysis also includes the recognition, implementation and monitoring of the correct transposition of the requirements identified in the regulatory analysis. 

As part of the overall Integrated Compliance Model, Poste Italiane has put in place specialised control units that guarantee the analysis, assessment and proper management of regulations relating to the areas of compliance relevant to the Group.

The role of information security is fundamental for the achievement of Poste Italiane strategic and operational objectives, also in view of the criticality of business processes and the need to protect the business in the face of a constant increase in cyber threats.

Proper IT security management effectively manages the risks of information system malfunctions and/or deficiencies that could lead to disruptions in the operational continuity of customer services, loss of data integrity, and/or personal data leaks or privacy violations.

The cyber risk is defined as the risk of incurring economic, reputational or market share losses resulting from acts deliberately aimed at: y sabotaging security measures in order to gain unauthorised access to ICT systems or the data they collect, process and transmit; y causing the unavailability of ICT systems, processes or services by exploiting technological vulnerabilities that insist on IT systems supporting business processes and the delivery of services to customers.

Cyber risk is perceived to be among the greatest risks globally in terms of probability of occurrence and potential impact generated; the reasons are mainly the speed of business innovation, the increasing complexity of technology - which is becoming progressively smarter, more sophisticated and pervasive - the growth of interconnections and the relative speed, volume and variety of data exchanged between network nodes. This exponentially increases the surface area exposed to cyber threats and, therefore, the perceived risk tends to grow, especially in view of the increasing experience and organisation of cyber criminals.

Main management methods

In order to ensure adequate protection of the company’s information assets, Poste Italiane has defined specific cross-functional operational processes for security management. These processes provide for the execution of security activities, addressed by a continuous process of identifying, analysing and assessing risks, as well as selecting appropriate strategies for their prevention and management, including, for example, the drafting of the Permanent Security Plan, which defines priorities and plans the development of security measures. As of the year 2023, the Company has activated Group Cyber Risk coverage with leading insurance companies. The Company also guarantees the continuous addressing of adequate levels of confidentiality, integrity and availability of the data processed and the services provided, ensuring appropriate compliance with legal, national and international regulations (e.g. Regulation (EU) 2022/2554 (DORA), EU Directive 2022/2555 (NIS2) and the PSD2 Directive) by constantly updating the IT risk control system. In particular, the DORA Regulation introduces a uniform European regulatory framework for the management of cyber risks arising from information and communication technologies (ICT) in the financial and insurance sectors, responding to the need for digital operational resilience dictated by the relentless development of digital finance and ensuring, at the same time, innovation, competitiveness and consumer protection. Please refer to the regulatory framework of the Financial Services SBU for more details on the Regulation and the status of compliance by the supervised companies of the Poste Italiane Group. With reference to the sustainability aspects of this risk, please refer to Chapter 8 “Consolidated Sustainability Statement” of this Report for details.

The Poste Italiane Group operates in competitive sectors and measures itself against its competitors mainly in relation to factors such as technological innovation, quality, breadth and reliability of services, speed and punctuality of delivery, performance, reputation, customer support and price of services offered.

Consequently, the Group’s future business prospects depend, to a large extent, on its ability to remain competitive by meeting changing customer needs, anticipating technological changes, and developing effective and competitive relationships with its customers and suppliers.

The intensification of competition in the sectors in which Poste Italiane operates could result in a reduction in revenue and market share with consequent negative effects on the Group’s business, prospects and financial position.

In particular, the postal services market is going through a phase of radical change, mainly linked to the digital and logistical transformation, which has affected the volume of letters and parcels. The historical decline of traditional mail, replaced by digital forms of communication, is accompanied by a significant increase in the volume of parcels.

The Group’s banking and insurance activities are also exposed to competitive risks. In the financial services sector, BancoPosta has to cope with a continuously consolidating market and, in this context, it becomes crucial to respond promptly to competitive pressures in order to retain its customers. Similarly, in the insurance market, the Group is exposed to the typical risks arising from competitive pressure in the Italian insurance market, which is mainly characterised by the creation of bancassurance agreements between banks and insurance companies, aimed at offering customers both banking and insurance products and services, leveraging their respective distribution channels.

Main management methods

Poste Italiane is the main postal service provider in Italy in charge of providing the Universal Postal Service, a public utility service aimed at guaranteeing all citizens of the country access to postal services. Through a proprietary multi-channel distribution logistics platform, Poste Italiane has added parcel delivery to its traditional mail delivery business in order to seize the opportunities offered by the rapid growth of e-commerce.

As regards the management of competitive risk in the other sectors in which the Group operates, Poste Italiane acts through a structured approach aimed at ensuring financial stability and market competitiveness, maximising value for customers and improving operational efficiency. In particular, the Group adopts a strategy of differentiating its banking and insurance products, focusing on integrated and customisable solutions to meet different customer needs, as well as diversifying investment and insurance opportunities with the aim of maintaining positive results and guaranteeing a high level of quality and customer satisfaction.

In addition, Poste Italiane invests heavily in digital innovation to counter competition in the relevant sectors, implementing a series of initiatives to modernise its services, making them more accessible, efficient and adapted to the needs of customers in today’s digital environment. In particular, Poste Italiane continuously implements initiatives aimed at satisfying the new needs expressed by customers, offering products that are increasingly modular and in line with developments in the reference markets.

In this context, Poste Italiane recognises the importance of artificial intelligence (AI) as a tool to support and accelerate the achievement of its strategic objectives and has embarked on a path to adopt such solutions in order to exploit their potential to the full. At the same time, the Company has adopted an AI governance model that ensures a safe and responsible approach that complies with the relevant regulatory framework and takes into account the impact on human capital, process efficiency, service quality and customer relations. Please refer to section 6.4 “Digital and third-party networks in the Group’s omnichannel strategy” for the initiatives undertaken by the Group and the governance aspects in the area of AI.

The Group’s Integrated Policy pays particular attention to the issue of quality, documenting Poste Italiane’s commitment to the continuous integration of quality within the company’s development strategy and all the processes that contribute to the design, development and implementation of a product or service.

As a result, the Group may not be able to meet quality standards and customer expectations, leading to a deterioration in customer satisfaction and perceived quality levels, as well as the partial or non-achievement of the Strategic Plan’s objectives related to the growth and/or maintenance of the customer base, with current and prospective consequences on the Group’s economic, financial and equity situation. 

Main management methods

Customer satisfaction is a central objective in the quality policies of the Poste Italiane Group, which is committed to pursuing it by actively promoting listening opportunities, which are essential to ensure constant improvement in the quality of the products and services provided.

To this end, the Company has implemented a monitoring process aimed at both continuous improvement of the quality delivered and that perceived by the end user. Thanks to a KPI system and periodic reporting covering the entire range of products and services offered, management is constantly updated on developments in the relevant trends, ensuring a high level of quality.

In addition, the Group has initiated a process of continuous improvement of the customer experience, which starts with listening (internal and external) and analysing processes through artificial intelligence-based technologies. In addition, Poste Italiane adopts digital tools that contribute significantly to increasing the quality and services provided, for the purpose of monitoring on-time delivery levels for mail and parcels and first delivery success for parcels.
One of the Group’s objectives is the quick and effective resolution of customer complaints through a streamlined and easily accessible complaints management system that allows for immediate resolution of issues.

Finally, with reference to the value that the company attaches to the quality perceived by customers, a Customer Experience objective was set for the recipients of the MBO (Management By Objectives) programme to ensure that management objectives are aligned with customer needs and expectations.

Financial risks are regulated and supervised by the Authorities (Bank of Italy and IVASS) mainly related to the operations of BancoPosta RFC and PostePay’s ring-fenced EMI, asset financing and lending operations, as well as investments made by the Poste Vita insurance group (spread risk, price risk, credit risk, liquidity risk, fair value interest rate risk, cash flow inflation rate risk and currency risk). The risks of insurance management relate to the conclusion of insurance contracts and the conditions envisaged in said contracts.