In a context characterised by a high level of operational and regulatory complexity and the need to compete more and more efficiently in the reference markets, risk management and the related control systems take on a central role in the decision-making processes, with a view to creating long-term value to the benefit not only of the shareholders, but also in consideration of the interests of the other stakeholders of relevance to the company.
The Poste Italiane’s Internal Control and Risk Management System (SCIGR) is a combination of tools, procedures, rules and organisational structures, designed to ensure that the business is managed in a way that is sound, fair and consistent with the corporate objectives, and to pursue sustainable success, through an adequate definitions of players, duties and responsibilities of the various corporate bodies and control functions as well as through the identification, measurement, management and monitoring of the main risks, and through the structuring of adequate reporting lines to expedite the flow of information.
This system is a fundamental element of Poste Italiane’s corporate governance system, as it enables the Board of Directors to guide the Company in its pursuit of long-term value creation, defining the nature and level of risk compatible with its strategic objectives, and including in its assessments all elements that may be relevant to sustainable success. In particular, in line with the main leading practices that place particular emphasis on the integration of sustainability into strategies, risk management and remuneration policies, Poste Italiane’s SCIGR aims to contribute to the Company’s sustainable success by defining ESG roles and responsibilities, information flows between the players involved in the internal control system and towards corporate bodies, and the methods of managing the related risks. Moreover, in order to achieve this objective, the Company has decided to promote dialogue with the relevant stakeholders (Multistakeholder Forum153), in order to ensure a constant exchange of views on business strategies and their implementation.
In line with statutory requirements and the related best practices, the SCIGR consists of three levels of control and involves a range of actors within the organisation. The first-level control units identify, assess, manage, and monitor those risks for which they are responsible, and in respect of which they identify and implement specific actions aimed at ensuring operational compliance. The second-level control units, whose role consists primarily of defining risk management models and carrying out monitoring activities, play a key role in the integration and overall functioning of the Internal Control and Risk Management System. The third-level controls, managed at Poste Italiane by the Internal Auditing function, provide independent assurance on the adequacy and effective operation of the first and second levels of control and, in general, on the SCIGR.
The Poste Italiane’s Internal Control and Risk Management System (SCIGR) is a combination of tools, procedures, rules and organisational structures, designed to ensure that the business is managed in a way that is sound, fair and consistent with the corporate objectives, and to pursue sustainable success, through an adequate definitions of players, duties and responsibilities of the various corporate bodies and control functions as well as through the identification, measurement, management and monitoring of the main risks, and through the structuring of adequate reporting lines to expedite the flow of information.
This system is a fundamental element of Poste Italiane’s corporate governance system, as it enables the Board of Directors to guide the Company in its pursuit of long-term value creation, defining the nature and level of risk compatible with its strategic objectives, and including in its assessments all elements that may be relevant to sustainable success. In particular, in line with the main leading practices that place particular emphasis on the integration of sustainability into strategies, risk management and remuneration policies, Poste Italiane’s SCIGR aims to contribute to the Company’s sustainable success by defining ESG roles and responsibilities, information flows between the players involved in the internal control system and towards corporate bodies, and the methods of managing the related risks. Moreover, in order to achieve this objective, the Company has decided to promote dialogue with the relevant stakeholders (Multistakeholder Forum153), in order to ensure a constant exchange of views on business strategies and their implementation.
In line with statutory requirements and the related best practices, the SCIGR consists of three levels of control and involves a range of actors within the organisation. The first-level control units identify, assess, manage, and monitor those risks for which they are responsible, and in respect of which they identify and implement specific actions aimed at ensuring operational compliance. The second-level control units, whose role consists primarily of defining risk management models and carrying out monitoring activities, play a key role in the integration and overall functioning of the Internal Control and Risk Management System. The third-level controls, managed at Poste Italiane by the Internal Auditing function, provide independent assurance on the adequacy and effective operation of the first and second levels of control and, in general, on the SCIGR.
Risk management model
Poste Italiane has adopted a Risk Management model based on the Enterprise Risk Management (ERM) framework, with the aim of providing an organic, integrated vision and an effective, standardised response to the risks to which the Group is exposed. The outcomes of the risk assessment process carried out according to the ERM framework contribute to the analyses performed for the assessment of the Group’s financial materiality as part of the dual materiality analysis.
The Group Risk and Compliance function (“RCG”) is responsible for ensuring that these objectives are met. This is primarily done through the definition of an integrated risk management process that relies on the coordinated involvement of all the actors in the Internal Control and Risk Management System, above all the specialist forms of second-level control, the use of standardised models and metrics based on Group-wide criteria, and the design and implementation of shared tools for assessing and managing risk.
In this latter regard, the Group implemented an integrated Governance, Risk and Compliance (GRC) platform in 2018 to support the integrated risk management process. The IT tool allows the analysis and management of, inter alia, operational risks, in accordance with Legislative Decree no. 231/01, pursuant to Law 262/05, strategic, ESG, reputational, fiscal, physical security, Compliance, privacy and corruption risks as well as compliance with the rules applicable to financial and payment services. In addition, new application modules were implemented in 2025, in particular aimed at assessing double materiality, integrating the results of short-term forecast analysis on the relevant scenarios reflected in the Plan and Budget forecasts, as well as evolutionary changes by extending the functionalities already in use in the Group.
This is the tool that has enabled the Group to maximise integration of the risk management process, ensuring that risk assessment methods are shared across all the specialist second-level control functions. At the same time, it has improved communication with senior management and corporate bodies and between the various control functions, minimising the risk of inadequate or redundant information.
The Group Risk and Compliance function (“RCG”) is responsible for ensuring that these objectives are met. This is primarily done through the definition of an integrated risk management process that relies on the coordinated involvement of all the actors in the Internal Control and Risk Management System, above all the specialist forms of second-level control, the use of standardised models and metrics based on Group-wide criteria, and the design and implementation of shared tools for assessing and managing risk.
In this latter regard, the Group implemented an integrated Governance, Risk and Compliance (GRC) platform in 2018 to support the integrated risk management process. The IT tool allows the analysis and management of, inter alia, operational risks, in accordance with Legislative Decree no. 231/01, pursuant to Law 262/05, strategic, ESG, reputational, fiscal, physical security, Compliance, privacy and corruption risks as well as compliance with the rules applicable to financial and payment services. In addition, new application modules were implemented in 2025, in particular aimed at assessing double materiality, integrating the results of short-term forecast analysis on the relevant scenarios reflected in the Plan and Budget forecasts, as well as evolutionary changes by extending the functionalities already in use in the Group.
This is the tool that has enabled the Group to maximise integration of the risk management process, ensuring that risk assessment methods are shared across all the specialist second-level control functions. At the same time, it has improved communication with senior management and corporate bodies and between the various control functions, minimising the risk of inadequate or redundant information.
Poste Italiane’s main risks
The Poste Italiane Group ensures that the conduct of the business is consistent with the objectives defined by the Board of Directors, taking into account the risks that may affect the achievement of those objectives. The main risk categories associated with the Poste Italiane Group’s activities are identified in the Group Risk Model.
Poste Italiane periodically conducts risk assessment activities in a structured manner in order to identify and assess the main risks that may significantly affect the achievement of business objectives. In this sense, the main factors influencing the Group’s strategies include not only changes related to the domestic context, but also developments in the political, social and macroeconomic framework of reference, in view of the country’s general objectives for a sustainable economic recovery, as well as the current geopolitical context, characterised by strong instability.
Poste Italiane periodically conducts risk assessment activities in a structured manner in order to identify and assess the main risks that may significantly affect the achievement of business objectives. In this sense, the main factors influencing the Group’s strategies include not only changes related to the domestic context, but also developments in the political, social and macroeconomic framework of reference, in view of the country’s general objectives for a sustainable economic recovery, as well as the current geopolitical context, characterised by strong instability.
The Group’s main risks, their respective risk model categories and management methods are outlined below.
The increase in the level of detail and complexity of legal and regulatory compliance required by the authorities for their areas of competence requires a growing cultural and operational change within companies. The Group, which operates in several sectors including postal services, integrated communication services, logistics, energy, financial services and insurance, is subject to numerous laws and regulations, both sector-specific and in the areas of taxation, anti-money laundering, privacy, antitrust and the environment. In addition, by virtue of the exclusive assignment to Poste Italiane of the Universal Postal Service, risks of non-compliance related to specific regulations and the existing contract entered into with public authorities may arise. In particular, in view of the complexity and heterogeneity of the Group’s operations and the obligations arising from the management of services of general economic interest, Poste Italiane could run the risk of not responding in a timely manner to the demands of legislators and regulators (e.g., on governance structures, responsible finance, artificial intelligence, etc.). This could result in eventual breaches of applicable regulations (or allegations of breaches) making the Company and/or the Group the recipients of fines, corrective actions and/or business suspension requests, which could adversely affect the Group’s reputation, revenue, operating results and/or financial condition.
With particular regard to the legislation on artificial intelligence, as defined by Law no. 132 of 23 September 2025, in force since 10 October 2025, which transposes EU Regulation 2024/1689 (AI Act), a compliance project has been launched aimed at ensuring the Group level fulfils the requirements of the regulations, including equipping itself with a specific system for assessing and managing foreseeable risks to health, safety and fundamental rights by integrating this system into the broader risk management system model. During the project, it was also verified that no systems prohibited by the aforementioned EU Regulation had been introduced.
Main management methods
Given the operational complexity of Poste Italiane and the numerous sectors in which the Group operates, as well as the legal and reputational impacts associated with the risk of non-compliance, the Company has defined an integrated compliance process at Group level. This process is coordinated by a dedicated organisational unit of the RCG function, with the aim of overseeing - in a structured manner for each level of the company and in a manner appropriate to each sector of activity - the risks of non-compliance to which the Group is exposed, thereby fully implementing the principles of integrity, transparency and legality.
In particular, the Group’s Integrated Compliance process is based on a structured and coordinated approach to compliance that combines multiple needs, through the integration and rationalisation of existing risks and controls, also taking into account legal and reputational impacts and the risk-based approach. As part of said process, Poste Italiane also takes part in technical and working groups on regulatory developments, in order to ensure analysis of changes in the regulatory framework, guaranteeing its correct implementation, and represent the Company’s position on these issues to national and international bodies, in order to support the Company’s business. In addition, the Group constantly analyses regulatory developments of interest, assessing their applicability to business operations. This analysis also includes the recognition, implementation and monitoring of the correct transposition of the requirements identified in the regulatory analysis.
As part of the overall Integrated Compliance Model, Poste Italiane has put in place specialised control units that guarantee the analysis, assessment and proper management of regulations relating to the areas of compliance relevant to the Group.
With particular regard to the legislation on artificial intelligence, as defined by Law no. 132 of 23 September 2025, in force since 10 October 2025, which transposes EU Regulation 2024/1689 (AI Act), a compliance project has been launched aimed at ensuring the Group level fulfils the requirements of the regulations, including equipping itself with a specific system for assessing and managing foreseeable risks to health, safety and fundamental rights by integrating this system into the broader risk management system model. During the project, it was also verified that no systems prohibited by the aforementioned EU Regulation had been introduced.
Main management methods
Given the operational complexity of Poste Italiane and the numerous sectors in which the Group operates, as well as the legal and reputational impacts associated with the risk of non-compliance, the Company has defined an integrated compliance process at Group level. This process is coordinated by a dedicated organisational unit of the RCG function, with the aim of overseeing - in a structured manner for each level of the company and in a manner appropriate to each sector of activity - the risks of non-compliance to which the Group is exposed, thereby fully implementing the principles of integrity, transparency and legality.
In particular, the Group’s Integrated Compliance process is based on a structured and coordinated approach to compliance that combines multiple needs, through the integration and rationalisation of existing risks and controls, also taking into account legal and reputational impacts and the risk-based approach. As part of said process, Poste Italiane also takes part in technical and working groups on regulatory developments, in order to ensure analysis of changes in the regulatory framework, guaranteeing its correct implementation, and represent the Company’s position on these issues to national and international bodies, in order to support the Company’s business. In addition, the Group constantly analyses regulatory developments of interest, assessing their applicability to business operations. This analysis also includes the recognition, implementation and monitoring of the correct transposition of the requirements identified in the regulatory analysis.
As part of the overall Integrated Compliance Model, Poste Italiane has put in place specialised control units that guarantee the analysis, assessment and proper management of regulations relating to the areas of compliance relevant to the Group.
The role of information security is fundamental for the achievement of Poste Italiane strategic and operational objectives, also in view of the criticality of business processes and the need to protect the business in the face of a constant increase in cyber threats.
Proper IT security management effectively manages the risks of information system malfunctions and/or deficiencies that could lead to disruptions in the operational continuity of customer services, loss of data integrity, and/or personal data leaks or privacy violations.
The cyber risk is defined as the risk of incurring economic, reputational or market share losses resulting from acts deliberately aimed at: y sabotaging security measures in order to gain unauthorised access to ICT systems or the data they collect, process and transmit; y causing the unavailability of ICT systems, processes or services by exploiting technological vulnerabilities that insist on IT systems supporting business processes and the delivery of services to customers.
Cyber risk is perceived to be among the greatest risks globally in terms of probability of occurrence and potential impact generated; the reasons are mainly the speed of business innovation, the increasing complexity of technology - which is becoming progressively smarter, more sophisticated and pervasive - the growth of interconnections and the relative speed, volume and variety of data exchanged between network nodes. This exponentially increases the surface area exposed to cyber threats and, therefore, the perceived risk tends to grow, especially in view of the increasing experience and organisation of cyber criminals.
Main management methods
In order to ensure adequate protection of the company’s information assets, Poste Italiane has defined specific cross-functional operational processes for security management. These processes provide for the execution of security activities, addressed by a continuous process of identifying, analysing and assessing risks, as well as selecting appropriate strategies for their prevention and management, including, for example, the drafting of the Permanent Security Plan, which defines priorities and plans the development of security measures. As of the year 2023, the Company has activated Group Cyber Risk coverage with leading insurance companies. The Company also guarantees the continuous addressing of adequate levels of confidentiality, integrity and availability of the data processed and the services provided, ensuring appropriate compliance with legal, national and international regulations (e.g. Regulation (EU) 2022/2554 (DORA), EU Directive 2022/2555 (NIS2) and the PSD2 Directive) by constantly updating the IT risk control system. In particular, the DORA Regulation introduces a uniform European regulatory framework for the management of cyber risks arising from information and communication technologies (ICT) in the financial and insurance sectors, responding to the need for digital operational resilience dictated by the relentless development of digital finance and ensuring, at the same time, innovation, competitiveness and consumer protection. Please refer to the regulatory framework of the Financial Services SBU for more details on the Regulation and the status of compliance by the supervised companies of the Poste Italiane Group. With reference to the sustainability aspects of this risk, please refer to Chapter 8 “Consolidated Sustainability Statement” of this Report for details.
Proper IT security management effectively manages the risks of information system malfunctions and/or deficiencies that could lead to disruptions in the operational continuity of customer services, loss of data integrity, and/or personal data leaks or privacy violations.
The cyber risk is defined as the risk of incurring economic, reputational or market share losses resulting from acts deliberately aimed at: y sabotaging security measures in order to gain unauthorised access to ICT systems or the data they collect, process and transmit; y causing the unavailability of ICT systems, processes or services by exploiting technological vulnerabilities that insist on IT systems supporting business processes and the delivery of services to customers.
Cyber risk is perceived to be among the greatest risks globally in terms of probability of occurrence and potential impact generated; the reasons are mainly the speed of business innovation, the increasing complexity of technology - which is becoming progressively smarter, more sophisticated and pervasive - the growth of interconnections and the relative speed, volume and variety of data exchanged between network nodes. This exponentially increases the surface area exposed to cyber threats and, therefore, the perceived risk tends to grow, especially in view of the increasing experience and organisation of cyber criminals.
Main management methods
In order to ensure adequate protection of the company’s information assets, Poste Italiane has defined specific cross-functional operational processes for security management. These processes provide for the execution of security activities, addressed by a continuous process of identifying, analysing and assessing risks, as well as selecting appropriate strategies for their prevention and management, including, for example, the drafting of the Permanent Security Plan, which defines priorities and plans the development of security measures. As of the year 2023, the Company has activated Group Cyber Risk coverage with leading insurance companies. The Company also guarantees the continuous addressing of adequate levels of confidentiality, integrity and availability of the data processed and the services provided, ensuring appropriate compliance with legal, national and international regulations (e.g. Regulation (EU) 2022/2554 (DORA), EU Directive 2022/2555 (NIS2) and the PSD2 Directive) by constantly updating the IT risk control system. In particular, the DORA Regulation introduces a uniform European regulatory framework for the management of cyber risks arising from information and communication technologies (ICT) in the financial and insurance sectors, responding to the need for digital operational resilience dictated by the relentless development of digital finance and ensuring, at the same time, innovation, competitiveness and consumer protection. Please refer to the regulatory framework of the Financial Services SBU for more details on the Regulation and the status of compliance by the supervised companies of the Poste Italiane Group. With reference to the sustainability aspects of this risk, please refer to Chapter 8 “Consolidated Sustainability Statement” of this Report for details.
Financial risks are regulated and supervised by the Authorities (Bank of Italy and IVASS) mainly related to the operations of BancoPosta RFC and PostePay’s ring-fenced EMI, asset financing and lending operations, as well as investments made by the Poste Vita insurance group (spread risk, price risk, credit risk, liquidity risk, fair value interest rate risk, cash flow inflation rate risk and currency risk). The risks of insurance management relate to the conclusion of insurance contracts and the conditions envisaged in said contracts.