Your browser version is not updated, please update it.

Since its listing on the Stock Exchange Poste Italiane has gradually consolidated, within the Internal Control and Risk Management System (SCIGR), a model of risk governance based on the Enterprise Risk Management (ERM) framework, in line with the Corporate Governance Code for Listed Companies and international best practice.

In the development and continual improvement of this model, which is still ongoing, the Company examined all areas - financial, insurance and business - with the aim of achieving an organic overall vision of the Group, harmonizing risk management tools and methods and reinforcing its awareness that understanding and measuring risk and identifying sustainable actions to contain it, in the various forms in which it may arise in a complex and variegated organization such as Poste Italiane, is one the priorities which can significantly impact the achievement of its strategic targets.

The purpose of the Risk Management process is to identify, assess, treat and monitor the main risks affecting the Group's activities by means of a coordinated set of principles, rules, procedures, methodologies, tools and organisational structures that introduce safeguards into company operations that can effectively and efficiently control risks, while producing a continuous flow of information to support decision-making processes. Such an approach makes it possible to effectively manage the Group's exposure to the specific risks of its business, to carry out risk-based strategic planning and, where possible, to transform risks into opportunities and competitive advantage.

Among the organizational measures required for the effective surveillance and handling of corporate risks, Poste Italiane Group has begun a process to integrate all structures performing the same functions in different companies/corporate departments, with the aim of achieving tighter governance and more efficient procedures.

In particular, within the Corporate Affairs function, the to-be-established "Group’s Sustainable Development, Risk and Compliance" (SSRCG) function is in charge of the following: 
 
  • establish a structured and integrated process to identify, evaluate and monitor risks in conjunction with the other SCIGR actors;
  • guarantee harmonized and integrated models and data flows between specialist second level control units, group companies and supervisory bodies through the implementation of an integrated platform across departments to manage and monitor risk at Group level;
  • oversee reporting to the Corporate Bodies with the aim of strengthening the SCIGR;
  • foster the diffusion of a risk management culture at every corporate level to systematically manage the organization's biggest risks and identify potential opportunities.

The Risk Management process consists of six phases, described below:

Phase I: Risk management guidelines
The Board of Directors of Poste Italiane S.p.A., after consultation with the Control and Risk Committee: i) defines the Group's risk management guidelines, so that the main risks are correctly identified and adequately measured, managed and monitored; ii) determines the degree of compatibility of these risks with a management of the business consistent with the strategic objectives. The Managing Director implements the guidelines on the management of group risks defined by the Board of Directors of Poste Italiane, taking care of the design, implementation and management of the Risk Management process and constantly checking its adequacy and effectiveness.

Phase II: Risk Management framework definition and update
The competent function has the task of defining and updating the overall Risk Management framework of the Group, developed according to a process-oriented logic, managing the evolution of tools and methodologies in line with business dynamics, best practices and the regulatory context of reference.

Phase III: Goal Analysis & Risk Briefing
The competent function, with the support of the other company functions with second-level control tasks, carries out the analysis of the objectives and the correlated company processes (Goal Analysis) and, subsequently, proceeds with the preliminary identification of the risks that can undermine the achievement of the company objectives (Risk Briefing).

Phase IV: Integrated Risk Assessment
The competent function, with the support of the other functions with second-level control tasks, coordinates the Risk Owners in the Risk Assessment phase with the aim of identifying the main risks of the Group and assessing their degree of relevance.

Phase V: Risk Treatment
For the risks identified and assessed in the Risk Assessment phase, the most appropriate treatment strategies are defined, in line with the level of risk propensity, through the identification, by the Risk Owners, of the treatment actions to be adopted and/or already adopted, of the tools and indicators used to monitor the evolution of the risk (KRI and KPI) and the implementation of the treatment actions (KCI), of the attention thresholds for the indicators to be monitored and of the timeframes for the implementation of the treatment actions and the relevant managers.

Phase VI: Risk Monitoring & Reporting
The correct and punctual performance of monitoring and reporting activities is essential to guarantee the effectiveness of the process and the reliability of the reports addressed to Top Management and the Control Bodies. In particular, the activity of monitoring the evolution of risks and the implementation of the relative treatment plans is carried out by the competent function within the area, which aggregates and consolidates the information on the various risks obtained from the Risk Owners and the other functions with second level control tasks.

Moreover, the competent SSRCG department has set up an accurate and timely integrated reporting system that allows for a complete and aware management of the Group's risks, based on two information levels: i) integrated Reporting to Top Management and Corporate Bodies; ii) Management Reporting that includes horizontal information flows between the corporate functions involved in the Risk Management process.



The Sustainable Development, Risk and Compliance function supports the top management in effectively implementing Group-wide Enterprise Risk Management, covering all areas/types of risk, primarily identified according to a process-based rationale.
Poste Italiane group risks can be grouped into the following macro categories:
 
  • strategic risks: this category of risk could influence achievement of the goals set out in the Strategic Plan and are identified, classified and monitored with the involvement of management from the SSRCG function. This process describes the key nature of the risks, the triggers and the potential consequences or effects, in both financial terms (e.g. losses, increased costs due to delays or the failure to implement restructuring plans and efficiencies, reduced revenue), and in other terms (e.g. customer satisfaction);
  • operational risks: operational risks refer to the risk of losses resulting from inadequate or failed internal processes, people and systems at Group level, or from external events. Management of operational risk takes place at both the level of specialist units within the Group (BancoPosta Risk Management, Poste Vita Group Risk Office and PostePay Risk Management and Compliance), in compliance with the respective supervisory standards, and at an integrated level, involving the SSRCG function. The following risks, among others, are closely monitored: i) IT risk, above all the risk that malfunctions and/or shortcomings in information systems could result in the loss of data integrity, leaks of personal data or breaches of confidentiality, potentially causing disruption to the services provided to customers; ii) health and safety risk, with specific regard to the risk of workplace injury to employees or contractors as a result of operations (e.g. the collection, transport and sorting of parcels and letter post, and the delivery of postal products using motor vehicles); iii) physical security risk, relating to access to the headquarters premises of Group companies, to Post Offices or other private areas by unauthorised or unidentified persons, and the limited protection of Poste Italiane’s assets and property against criminal behaviour (robberies, losses resulting from fraud, theft, ATM attacks, vandalism, etc.). Operational risk also includes disruption and/or obstacles to entry to the Group’s operating facilities (mail sorting centres and delivery offices, etc.) due to industrial action or strikes;
  • compliance: this refers to risks of breaches of existing laws and regulations, such as the risks connected with former Legislative Decree no. 231/01, former Law 262/05, Data Protection and Market Abuse regulations or the introduction of new legislation or regulations (or new interpretations legislation and regulations) of either general importance (e.g. regarding administrative, accounting, tax matters, etc.) or specific to the sectors in which Poste Italiane Group operates. This risk category includes the risks linked to the introduction of new regulations governing the management and development of Universal Postal Services and the related rates providing a return for Poste Italiane, and the risk of the failure to meet the service quality standards set by the regulator (the Autorità per le Garanzie nelle Comunicazioni or AGCom);
  • reputational risks: this category regards the risks connected with a negative perception among the Group’s stakeholders, in response to which the Group has adopted a stakeholder engagement framework in order to identify and assess this type of risk at source. The main element of reputational risk to which the Group is, by its nature, exposed is linked to market performance and primarily associated with the placement of postal savings products and investment products issued by third-party entities (bonds, certificates and real estate funds) or by Group companies (insurance policies issued by the subsidiaries, Poste Vita and Poste Assicura, and mutual funds managed by BancoPosta Fondi SGR), and those linked to the perceived and effective quality of the services related to letter post and parcel delivery;
  • ESG: risks arising from factors related to environmental, social and governance issues (in particular, linked to human rights, climate change and sustainable finance).
  • financial and insurance risks: financial risks that are regulated and overseen by supervisory authorities (the Bank of Italy and IVASS, the insurance industry regulator) and the responsibility of the Risk Management units belonging to the various business units, coordinated by the function responsible for Sustainable Development, Risk and Compliance at Group level. Financial risk primarily relates to the operations of BancoPosta and PostePay’s ring-fenced EMI (the active management of the liquidity deriving from postal current account deposits, and of collections and payments carried out in the name of and on behalf of third parties), asset financing and the investment of liquidity and, as regards the Poste Vita Insurance Group, investments designed to cover contractual obligations to policyholders. Insurance risks derive from the stipulation of insurance contracts and the terms and conditions contained therein (technical bases adopted, premium calculation, the terms and conditions of redemption, etc.). In technical terms, mortality is one of the main risk factors for Poste Vita, i.e. any risk associated with the uncertainty of a policyholder’s life expectancy, alongside the risk associated with redemptions.

Poste Italiane SpA’s financial transactions primarily relate to BancoPosta’s operations, asset financing and liquidity investment, and Poste Vita SpA’s operations, investments designed to cover contractual obligations to policyholders on traditional life policies and index-linked and unit-linked policies.
The main market risk factors are: i) interest rate risk, the risk that the value of a financial instrument fluctuates as a result of movements in market interest rates, and ii) spread risk, the risk of a potential fall in the value of bonds held, following a deterioration in the creditworthiness of issuers.

The Group Risk Management process enables the identification of various kinds of risks and their classification, based on their ultimate probability/impact within a matrix (Heat Map), for obtaining an overview of the risks to be monitored and prioritized.

The Group has also implemented an integrated Governance, Risk and Compliance (GRC) platform for surveying and filing all risks and displaying the collected data to each player in the process, consistently with the relevant profiling. The system also supports the SSRCG function and other players in respect of integrated risk reporting.